Benchmark: PR.IP-1
Description
A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality).
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select PR.IP-1.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.nist_csf_pr_ip_1
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.nist_csf_pr_ip_1 --share
Controls
- AWS account should be part of AWS Organizations
- EC2 auto scaling group launch configurations should not have metadata response hop limit greater than 1
- Auto Scaling group should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)
- CloudFormation stacks differ from the expected configuration
- CloudFront distributions should have origin access identity enabled
- At least one trail should be enabled with security best practices
- EBS volumes should be attached to EC2 instances
- EC2 instances should be managed by AWS Systems Manager
- Paravirtual EC2 instance types should not be used
- EC2 stopped instances should be removed in 30 days
- ECR repositories should have lifecycle policies configured
- ECR private repositories should have tag immutability configured
- ECS fargate services should run on the latest fargate platform version
- ECS task definition containers should not have secrets passed as environment variables
- ECS task definitions should not share the host's process namespace
- EKS clusters should run on a supported Kubernetes version
- ELB application load balancers should be configured with defensive or strictest desync mitigation mode
- Lambda functions should use latest runtimes
- The default stateless action for Network Firewall policies should be drop or forward for fragmented packets
- The default stateless action for Network Firewall policies should be drop or forward for full packets
- Network Firewall policies should have at least one rule group associated
- RDS database clusters should use a custom administrator username
- RDS DB instance automatic minor version upgrade should be enabled
- RDS database instances should use a custom administrator username
- AWS Redshift should have required maintenance settings
- AWS Redshift clusters should not use the default Admin username
- Redshift clusters should not use the default database name
- AWS S3 permissions granted to other AWS accounts in bucket policies should be restricted
- SSM managed instance associations should be compliant
- WAF regional web ACL should have at least one rule or rule group attached
- WAF global rule should have at least one condition
- WAF global rule group should have at least one rule
- WAF web ACL should be associated with an Application Load Balancer, API Gateway stage, or CloudFront distributions