Benchmark: 500.02(b)(2)
Description
The cybersecurity program shall be based on the Covered Entity’s Risk Assessment and designed to perform the following core cybersecurity functions: use defensive infrastructure and the implementation of policies and procedures to protect the Covered Entity’s Information Systems, and the Nonpublic Information stored on those Information Systems, from unauthorized access, use or other malicious acts.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select 500.02(b)(2).
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.nydfs_23_500_02_b_2
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.nydfs_23_500_02_b_2 --share
Controls
- API Gateway stage should be associated with waf
- DMS replication instances should not be publicly accessible
- EBS snapshots should not be publicly restorable
- EC2 instances should be in a VPC
- EC2 instances should not have a public IP address
- EC2 instances should use IMDSv2
- ELB application load balancers should have Web Application Firewall (WAF) enabled
- EMR cluster Kerberos should be enabled
- EMR cluster master nodes should not have public IP addresses
- ES domains should be in a VPC
- IAM password policies for users should have strong configurations
- IAM groups should have at least one user
- IAM policy should not have statements with admin access
- IAM root user hardware MFA should be enabled
- IAM root user MFA should be enabled
- IAM root user should not have access keys
- IAM users with console access should have MFA enabled
- IAM users should be in at least one group
- IAM user MFA should be enabled
- IAM user should not have any inline or attached policies
- Ensure IAM policies are attached only to groups or roles
- Lambda functions should be in a VPC
- Lambda functions should restrict public access
- OpenSearch domains should be in a VPC
- RDS DB instances should prohibit public access
- RDS snapshots should prohibit public access
- Redshift clusters should prohibit public access
- S3 bucket policy should prohibit public access
- S3 buckets should prohibit public read access
- S3 buckets should prohibit public write access
- S3 public access should be blocked at account level
- SageMaker notebook instances should not have direct internet access
- SSM documents should not be public
- VPC default security group should not allow inbound and outbound traffic
- VPC internet gateways should be attached to authorized vpc
- VPC route table should restrict public access to IGW
- VPC Security groups should only allow unrestricted incoming traffic for authorized ports
- VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
- VPC security groups should restrict ingress SSH access from 0.0.0.0/0