Benchmark: BP02 Enforce encryption in transit
Description
Enforce your defined encryption requirements based on your organization's policies, regulatory obligations and standards to help meet organizational, legal, and compliance requirements. Only use protocols with encryption when transmitting sensitive data outside of your virtual private cloud (VPC). Encryption helps maintain data confidentiality even when the data transits untrusted networks. All data should be encrypted in transit using secure TLS protocols and cipher suites. Network traffic between your resources and the internet must be encrypted to mitigate unauthorized access to the data. Network traffic solely within your internal AWS environment should be encrypted using TLS wherever possible.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-well-architectedStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select BP02 Enforce encryption in transit.
Run this benchmark in your terminal:
powerpipe benchmark run aws_well_architected.benchmark.well_architected_framework_sec09_bp02Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_well_architected.benchmark.well_architected_framework_sec09_bp02 --shareControls
- ELB application load balancers should be drop HTTP headers
- ELB application load balancers should redirect HTTP requests to HTTPS
- Elasticsearch domain node-to-node encryption should be enabled
- API Gateway stage should uses SSL certificate
- OpenSearch domains node-to-node encryption should be enabled
- OpenSearch domains should use HTTPS
- CloudFront distributions should encrypt traffic to custom origins
- CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins
- ELB listeners should use secure SSL cipher
- S3 buckets should enforce SSL