Benchmark: 500.07 Access Privileges and Management
Description
As part of its cybersecurity program, based on the Covered Entity’s Risk Assessment each Covered Entity shall limit user access privileges to Information Systems that provide access to Nonpublic Information and shall periodically review such access privileges.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select 500.07 Access Privileges and Management.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.nydfs_23_500_07Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.nydfs_23_500_07 --shareControls
- DMS replication instances should not be publicly accessible
- EBS snapshots should not be publicly restorable
- EC2 instances should be in a VPC
- EC2 instances should not have a public IP address
- ECS task definition container definitions should be checked for host mode
- EMR cluster Kerberos should be enabled
- EMR cluster master nodes should not have public IP addresses
- ES domains should be in a VPC
- IAM password policies for users should have strong configurations
- IAM groups should have at least one user
- IAM policy should not have statements with admin access
- IAM root user should not have access keys
- IAM user access keys should be rotated at least every 90 days
- IAM users should be in at least one group
- IAM user should not have any inline or attached policies
- Ensure IAM policies are attached only to groups or roles
- IAM user credentials that have not been used in 90 days should be disabled
- Lambda functions should be in a VPC
- Lambda functions should restrict public access
- OpenSearch domains should be in a VPC
- RDS DB instances should prohibit public access
- RDS snapshots should prohibit public access
- Redshift clusters should prohibit public access
- S3 bucket policy should prohibit public access
- S3 buckets should prohibit public read access
- S3 buckets should prohibit public write access
- S3 public access should be blocked at account level
- SageMaker notebook instances should not have direct internet access
- Secrets Manager secrets should have automatic rotation enabled
- Secrets Manager secrets should be rotated as per the rotation schedule
- SSM documents should not be public
- VPC internet gateways should be attached to authorized vpc
- VPC route table should restrict public access to IGW
- VPC subnet auto assign public IP should be disabled