Benchmark: 11.3.1.1: All other applicable vulnerabilities (those not ranked as high-risk vulnerabilities or critical vulnerabilities according to the entity's vulnerability risk rankings)
Description
All vulnerabilities, regardless of criticality, provide a potential avenue of attack and must therefore be addressed periodically, with the vulnerabilities that expose the most risk addressed more quickly to limit the potential window of attack.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select 11.3.1.1: All other applicable vulnerabilities (those not ranked as high-risk vulnerabilities or critical vulnerabilities according to the entity's vulnerability risk rankings).
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_11_3_1_1Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_11_3_1_1 --shareControls
- GuardDuty should be enabled
- SSM managed instance patching should be compliant
- VPC flow logs should be enabled
- VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
- VPC security groups should restrict ingress SSH access from 0.0.0.0/0
- VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0