Benchmark: VPC
Description
This section contains recommendations for configuring VPC resources.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select VPC.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.all_controls_vpcSnapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.all_controls_vpc --shareControls
- VPC should be configured to use VPC endpoints
- VPC default security group should not allow inbound and outbound traffic
- VPC EIPs should be associated with an EC2 instance or ENI
- VPC endpoint services should have acceptance required enabled
- VPC flow logs should be enabled
- VPC gateway endpoints should restrict public access
- VPC internet gateways should be attached to authorized vpc
- VPCs should exist in multiple regions
- Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389
- VPC network access control lists (network ACLs) should be associated with a subnet.
- VPCs should be in use
- VPCs peering connection should not be allowed in cross account
- VPCs peering connection route tables should have least privilege
- VPC route table should restrict public access to IGW
- VPC Security groups should only allow unrestricted incoming traffic for authorized ports
- VPC security groups should restrict ingress from 0.0.0.0/0 or ::/0 to cassandra ports 7199 or 9160 or 8888
- VPC security groups should restrict ingress from 0.0.0.0/0 or ::/0 to memcached port 11211
- VPC security groups should restrict ingress from 0.0.0.0/0 or ::/0 to mongoDB ports 27017 and 27018
- VPC security groups should restrict ingress from 0.0.0.0/0 or ::/0 to oracle ports 1521 or 2483
- VPC security groups should be associated with at least one ENI
- VPC security groups should restrict uses of 'launch-wizard' security groups.
- Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports
- Ensure no security groups allow ingress from ::/0 to remote server administration ports
- Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports
- VPC security groups should restrict ingress CIFS access from 0.0.0.0/0 and ::/0
- VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
- VPC security groups should restrict ingress Kafka port access from 0.0.0.0/0
- VPC security groups should restrict ingress kibana port access from 0.0.0.0/0
- Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389
- VPC security groups should restrict ingress redis access from 0.0.0.0/0
- VPC security groups should restrict ingress SSH access from 0.0.0.0/0
- VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0
- Security groups should not allow unrestricted access to ports with high risk
- Unused EC2 security groups should be removed
- VPC subnet auto assign public IP should be disabled
- VPCs subnets should exist in multiple availability zones
- VPCs should have both public and private subnets configured
- Both VPN tunnels provided by AWS Site-to-Site VPN should be in UP status