Benchmark: A1.1.2: Controls are implemented such that each customer only has permission to access its own cardholder data and CDE
Description
It is important that a multi-tenant service provider define controls so that each customer can only access their own environment and CDE to prevent unauthorized access from one customer's environment to another.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select A1.1.2: Controls are implemented such that each customer only has permission to access its own cardholder data and CDE.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_appendix_a1_1_2
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_appendix_a1_1_2 --share
Controls
- Backup recovery points manual deletion should be disabled
- DMS replication instances should not be publicly accessible
- Amazon DocumentDB cluster snapshots should not be public
- EBS snapshots should not be publicly restorable
- ECS containers should be limited to read-only access to root filesystems
- EFS access points should enforce a root directory
- EFS access points should enforce a user identity
- EMR account public access should be blocked
- Lambda functions should restrict public access
- Neptune DB cluster snapshots should not be public
- RDS DB instances should prohibit public access
- RDS snapshots should prohibit public access
- Redshift clusters should prohibit public access
- S3 access points should have block public access settings enabled
- Ensure MFA Delete is enabled on S3 buckets
- S3 buckets should prohibit public read access
- S3 buckets should prohibit public write access
- S3 public access should be blocked at account level
- S3 public access should be blocked at bucket levels
- SageMaker notebook instances should not have direct internet access
- SSM documents should not be public