Benchmark: 11.3.1.3: 3 Internal vulnerability scans are performed after any significant change

Description

Scanning an environment after any significant changes ensures that changes were completed appropriately such that the security of the environment was not compromised because of the change.

Usage

Install the mod:

mkdir dashboards
cd dashboards
powerpipe mod init
powerpipe mod install github.com/turbot/steampipe-mod-aws-compliance

Start the Powerpipe server:

steampipe service start
powerpipe server

Open http://localhost:9033 in your browser and select 11.3.1.3: 3 Internal vulnerability scans are performed after any significant change.

Run this benchmark in your terminal:

powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_11_3_1_3

Snapshot and share results via Turbot Pipes:

powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_11_3_1_3 --share

Controls

• API Gateway stage should uses SSL certificate
• At least one multi-region AWS CloudTrail should be present in an account
• All S3 buckets should log S3 data events in CloudTrail
• CloudTrail trails should be integrated with CloudWatch logs
• EC2 instances should not have a public IP address
• ECR repositories should have image scan on push enabled
• GuardDuty should be enabled
• IAM password policies for users should have strong configurations
• Lambda functions should restrict public access
• S3 buckets should prohibit public read access
• S3 buckets should prohibit public write access
• AWS Security Hub should be enabled for an AWS Account
• SSM managed instance patching should be compliant
• VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
• VPC security groups should restrict ingress SSH access from 0.0.0.0/0
• VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0

Tags