Benchmark: 1.3.1: Inbound traffic to the CDE is restricted as follows: To only traffic that is necessary, All other traffic is specifically denied
Description
This requirement aims to prevent malicious individuals from accessing the entity's network via unauthorized IP addresses or from using services, protocols, or ports in an unauthorized manner.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select 1.3.1: Inbound traffic to the CDE is restricted as follows: To only traffic that is necessary, All other traffic is specifically denied.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_1_3_1Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_1_3_1 --shareControls
- API Gateway routes should specify an authorization type
- API Gateway stage should uses SSL certificate
- API Gateway stage should be associated with waf
- CloudFront distributions should use custom SSL/TLS certificates
- CloudFront distributions should have AWS WAF enabled
- CodeBuild GitHub or Bitbucket source repository URLs should use OAuth
- DMS replication instances should not be publicly accessible
- Amazon DocumentDB cluster snapshots should not be public
- EC2 instances should be in a VPC
- EC2 transit gateways should have auto accept shared attachments disabled
- EKS clusters endpoint should restrict public access
- ElastiCache clusters should not use the default subnet group
- ELB application and network load balancers should only use SSL or HTTPS listeners
- ELB classic load balancers should use SSL certificates
- EMR account public access should be blocked
- ES domains should be in a VPC
- Lambda functions should be in a VPC
- Lambda functions should restrict public access
- The default stateless action for Network Firewall policies should be drop or forward for fragmented packets
- Network Firewall policies should have at least one rule group associated
- Stateless network firewall rule group should not be empty
- OpenSearch domains should be in a VPC
- RDS DB instances should prohibit public access
- AWS Redshift enhanced VPC routing should be enabled
- Redshift clusters should prohibit public access
- S3 access points should have block public access settings enabled
- S3 buckets should prohibit public read access
- S3 buckets should prohibit public write access
- S3 public access should be blocked at account level
- S3 public access should be blocked at bucket levels
- SageMaker notebook instances should not have direct internet access
- SageMaker notebook instances should be in a VPC
- SSM managed instance associations should be compliant
- VPC should be configured to use VPC endpoints
- VPC internet gateways should be attached to authorized vpc
- Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389
- VPC network access control lists (network ACLs) should be associated with a subnet.
- VPC route table should restrict public access to IGW
- VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
- VPC security groups should restrict ingress SSH access from 0.0.0.0/0
- VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0
- Both VPN tunnels provided by AWS Site-to-Site VPN should be in UP status
- WAF regional rule should have at least one condition
- WAF regional rule group should have at least one rule attached
- WAF regional web ACL should have at least one rule or rule group attached
- WAF global rule should have at least one condition
- WAF global rule group should have at least one rule
- WAF global web ACL should have at least one rule or rule group