Benchmark: EC2
Overview
This section contains recommendations for configuring EC2 resources and options.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select EC2.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.foundational_security_ec2
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.foundational_security_ec2 --share
Controls
- 1 Amazon EBS snapshots should not be public, determined by the ability to be restorable by anyone
- 2 VPC default security groups should not allow inbound or outbound traffic
- 3 Attached EBS volumes should be encrypted at rest
- 4 Stopped EC2 instances should be removed after a specified time period
- 6 VPC flow logging should be enabled in all VPCs
- 7 EBS default encryption should be enabled
- 8 EC2 instances should use IMDSv2
- 9 EC2 instances should not have a public IP address
- 10 Amazon EC2 should be configured to use VPC endpoints
- 15 EC2 subnets should not automatically assign public IP addresses
- 16 Unused network access control lists should be removed
- 17 EC2 instances should not use multiple ENIs
- 18 Security groups should only allow unrestricted incoming traffic for authorized ports
- 19 Security groups should not allow unrestricted access to ports with high risk
- 20 Both VPN tunnels for an AWS Site-to-Site VPN connection should be up
- 21 Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389
- 23 EC2 Transit Gateways should not automatically accept VPC attachment requests
- 24 Paravirtual EC2 instance types should not be used
- 25 Amazon EC2 launch templates should not assign public IPs to network interfaces
- 51 EC2 Client VPN endpoints should have client connection logging enabled
- 55 VPCs should be configured with an interface endpoint for ECR API
- 56 VPCs should be configured with an interface endpoint for Docker Registry
- 57 VPCs should be configured with an interface endpoint for Systems Manager
- 58 VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts
- 60 VPCs should be configured with an interface endpoint for Systems Manager Incident Manager
- 170 EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2)
- 171 EC2 VPN connections should have logging enabled
- 172 EC2 VPC Block Public Access settings should block internet gateway traffic
- 173 EC2 Spot Fleet requests with launch parameters should enable encryption for attached EBS volumes
- 180 EC2 network interfaces should have source/destination checking enabled