Benchmark: 1.2.1.b Examine firewall and router configurations to verify that inbound and outbound traffic is limited to that which is necessary for the cardholder data environment
Description
Examination of all inbound and outbound connections allows for inspection and restriction of traffic based on the source and/or destination address, thus preventing unfiltered access between untrusted and trusted environments. This prevents malicious individuals from accessing the entity's network via unauthorized IP addresses or from using services, protocols, or ports in an unauthorized manner (for example, to send data they've obtained from within the entity's network out to an untrusted server). Implementing a rule that denies all inbound and outbound traffic that is not specifically needed helps to prevent inadvertent holes that would allow unintended and potentially harmful traffic in or out.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select 1.2.1.b Examine firewall and router configurations to verify that inbound and outbound traffic is limited to that which is necessary for the cardholder data environment.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v321_requirement_1_2_1_bSnapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v321_requirement_1_2_1_b --shareControls
- Auto Scaling launch config public IP should be disabled
- DMS replication instances should not be publicly accessible
- EBS snapshots should not be publicly restorable
- ES domains should be in a VPC
- Lambda functions should be in a VPC
- Lambda functions should restrict public access
- RDS DB instances should prohibit public access
- RDS snapshots should prohibit public access
- Redshift clusters should prohibit public access
- S3 buckets should prohibit public read access
- S3 buckets should prohibit public write access
- SageMaker notebook instances should not have direct internet access
- VPC default security group should not allow inbound and outbound traffic
- VPC internet gateways should be attached to authorized vpc
- Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389
- VPC route table should restrict public access to IGW
- VPC security groups should restrict ingress SSH access from 0.0.0.0/0
- VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0