Benchmark: 3.13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks
Description
Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones (DMZs). DMZs are typically implemented with boundary control devices and techniques that include routers, gateways, firewalls, virtualization, or cloud-based technologies.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select 3.13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.nist_800_171_rev_2_3_13_5Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.nist_800_171_rev_2_3_13_5 --shareControls
- DMS replication instances should not be publicly accessible
- EBS snapshots should not be publicly restorable
- EC2 instances should be in a VPC
- EC2 instances should not have a public IP address
- ELB application load balancers should be drop HTTP headers
- ELB application load balancers should redirect HTTP requests to HTTPS
- ELB application load balancers should have Web Application Firewall (WAF) enabled
- ELB classic load balancers should use SSL certificates
- ELB classic load balancers should only use SSL or HTTPS listeners
- EMR cluster master nodes should not have public IP addresses
- ES domains should be in a VPC
- Elasticsearch domain node-to-node encryption should be enabled
- Lambda functions should be in a VPC
- Lambda functions should restrict public access
- RDS DB instances should prohibit public access
- RDS snapshots should prohibit public access
- Redshift cluster encryption in transit should be enabled
- Redshift clusters should prohibit public access
- S3 buckets should enforce SSL
- S3 bucket policy should prohibit public access
- S3 buckets should prohibit public read access
- S3 buckets should prohibit public write access
- S3 public access should be blocked at account level
- SageMaker notebook instances should not have direct internet access
- VPC default security group should not allow inbound and outbound traffic
- VPC internet gateways should be attached to authorized vpc
- VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
- VPC security groups should restrict ingress SSH access from 0.0.0.0/0
- VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0
- Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs)