Benchmark: 1.2.8: Configuration files for NSCs are secured from unauthorized access and are kept consistent with active network configurations
Description
To prevent unauthorized configurations from being applied to the network, stored files with configurations for network controls need to be kept up to date and secured against unauthorized changes.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select 1.2.8: Configuration files for NSCs are secured from unauthorized access and are kept consistent with active network configurations.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_1_2_8Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_1_2_8 --shareControls
- API Gateway routes should specify an authorization type
- API Gateway stage should uses SSL certificate
- CloudFront distributions should use custom SSL/TLS certificates
- CloudFront distributions should have AWS WAF enabled
- CodeBuild GitHub or Bitbucket source repository URLs should use OAuth
- DMS replication instances should not be publicly accessible
- Amazon DocumentDB cluster snapshots should not be public
- EC2 transit gateways should have auto accept shared attachments disabled
- EKS clusters endpoint should restrict public access
- ELB application and network load balancers should only use SSL or HTTPS listeners
- ELB classic load balancers should use SSL certificates
- EMR account public access should be blocked
- ES domains should be in a VPC
- Lambda functions should be in a VPC
- Lambda functions should restrict public access
- Ensure a log metric filter and alarm exist for changes to network gateways
- The default stateless action for Network Firewall policies should be drop or forward for fragmented packets
- Network Firewall policies should have at least one rule group associated
- Stateless network firewall rule group should not be empty
- OpenSearch domains should be in a VPC
- RDS DB instances should prohibit public access
- Redshift clusters should prohibit public access
- S3 access points should have block public access settings enabled
- S3 buckets should prohibit public read access
- S3 buckets should prohibit public write access
- S3 public access should be blocked at account level
- S3 public access should be blocked at bucket levels
- SageMaker notebook instances should not have direct internet access
- SageMaker notebook instances should be in a VPC
- SSM managed instance associations should be compliant
- VPC should be configured to use VPC endpoints
- VPC internet gateways should be attached to authorized vpc
- Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389
- VPC network access control lists (network ACLs) should be associated with a subnet.
- VPC route table should restrict public access to IGW
- VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
- VPC security groups should restrict ingress SSH access from 0.0.0.0/0
- VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0
- WAF regional rule should have at least one condition
- WAF regional rule group should have at least one rule attached
- WAF regional web ACL should have at least one rule or rule group attached
- WAF global rule should have at least one condition
- WAF global rule group should have at least one rule
- WAF global web ACL should have at least one rule or rule group