Benchmark: 1.2.5: All services, protocols, and ports allowed are identified, approved, and have a defined business need
Description
Compromises often happen due to unused or insecure services (for example, telnet and FTP), protocols, and ports, since these can lead to unnecessary points of access being opened into the CDE. Additionally, services, protocols, and ports that are enabled but not in use are often overlooked and left unsecured and unpatched.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select 1.2.5: All services, protocols, and ports allowed are identified, approved, and have a defined business need.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_1_2_5Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_1_2_5 --shareControls
- CloudFront distributions should encrypt traffic to custom origins
- CloudFront distributions should require encryption in transit
- CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins
- CloudFront distributions should use SNI to serve HTTPS requests
- CloudFront distributions should use secure SSL cipher
- ELB application load balancers should redirect HTTP requests to HTTPS
- ELB classic load balancers should only use SSL or HTTPS listeners
- EMR cluster Kerberos should be enabled
- Elasticsearch domain node-to-node encryption should be enabled
- OpenSearch domains should use HTTPS
- OpenSearch domains node-to-node encryption should be enabled
- Redshift cluster encryption in transit should be enabled
- S3 buckets should enforce SSL
- VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
- VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0