Benchmark: 3.1.3e Employ [Assignment: organization-defined secure information transfer solutions] to control information flows between security domains on connected systems
Description
Organizations employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations within systems and between connected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or provide a message-filtering capability based on message content. Organizations also consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Transferring information between systems in different security domains with different security policies introduces the risk that the transfers violate one or more domain security policies. In such situations, information owners or information stewards provide guidance at designated policy enforcement points between connected systems. Organizations mandate specific architectural solutions when required to enforce logical or physical separation between systems in different security domains. Enforcement includes prohibiting information transfers between connected systems, employing hardware mechanisms to enforce one-way information flows, verifying write permissions before accepting information from another security domain or connected system, and implementing trustworthy regrading mechanisms to reassign security attributes and labels.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select 3.1.3e Employ [Assignment: organization-defined secure information transfer solutions] to control information flows between security domains on connected systems.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.nist_800_172_3_1_3_e
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.nist_800_172_3_1_3_e --share
Controls
- API Gateway stage should uses SSL certificate
- Auto Scaling launch config public IP should be disabled
- DMS replication instances should not be publicly accessible
- EBS snapshots should not be publicly restorable
- EC2 instances should be in a VPC
- EC2 instances should not have a public IP address
- ELB application load balancers should be configured with defensive or strictest desync mitigation mode
- ELB application load balancers should be drop HTTP headers
- ELB application load balancers should redirect HTTP requests to HTTPS
- ELB application and network load balancers should only use SSL or HTTPS listeners
- ELB classic load balancers should be configured with defensive or strictest desync mitigation mode
- ELB classic load balancers should use SSL certificates
- ELB classic load balancers should only use SSL or HTTPS listeners
- EMR cluster master nodes should not have public IP addresses
- ES domains should be in a VPC
- Elasticsearch domain node-to-node encryption should be enabled
- Lambda functions should be in a VPC
- Lambda functions should restrict public access
- OpenSearch domains should use HTTPS
- OpenSearch domains should be in a VPC
- OpenSearch domains node-to-node encryption should be enabled
- RDS DB instances should prohibit public access
- RDS snapshots should prohibit public access
- Redshift cluster encryption in transit should be enabled
- AWS Redshift enhanced VPC routing should be enabled
- Redshift clusters should prohibit public access
- S3 buckets should enforce SSL
- S3 buckets should prohibit public read access
- S3 buckets should prohibit public write access
- S3 public access should be blocked at account level
- S3 public access should be blocked at bucket levels
- SageMaker notebook instances should not have direct internet access
- SSM documents should not be public
- VPC default security group should not allow inbound and outbound traffic
- VPC route table should restrict public access to IGW
- VPC Security groups should only allow unrestricted incoming traffic for authorized ports
- VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
- VPC security groups should restrict ingress SSH access from 0.0.0.0/0
- VPC subnet auto assign public IP should be disabled
- Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389