Benchmark: EC2
Overview
This section contains recommendations for configuring EC2 resources and options.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select EC2.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.foundational_security_ec2Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.foundational_security_ec2 --shareControls
- 1 Amazon EBS snapshots should not be public, determined by the ability to be restorable by anyone
- 2 VPC default security groups should not allow inbound or outbound traffic
- 3 Attached EBS volumes should be encrypted at rest
- 4 Stopped EC2 instances should be removed after a specified time period
- 6 VPC flow logging should be enabled in all VPCs
- 7 EBS default encryption should be enabled
- 8 EC2 instances should use IMDSv2
- 9 EC2 instances should not have a public IP address
- 10 Amazon EC2 should be configured to use VPC endpoints
- 15 EC2 subnets should not automatically assign public IP addresses
- 16 Unused network access control lists should be removed
- 17 EC2 instances should not use multiple ENIs
- 18 Security groups should only allow unrestricted incoming traffic for authorized ports
- 19 Security groups should not allow unrestricted access to ports with high risk
- 20 Both VPN tunnels for an AWS Site-to-Site VPN connection should be up
- 21 Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389
- 23 EC2 Transit Gateways should not automatically accept VPC attachment requests
- 24 Paravirtual EC2 instance types should not be used
- 25 Amazon EC2 launch templates should not assign public IPs to network interfaces
- 51 EC2 Client VPN endpoints should have client connection logging enabled