Benchmark: 1.4.1: NSCs are implemented between trusted and untrusted networks
Description
Implementing NSCs at every connection coming into and out of trusted networks allows the entity to monitor and control access and minimizes the chances of a malicious individual obtaining access to the internal network via an unprotected connection.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select 1.4.1: NSCs are implemented between trusted and untrusted networks.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_1_4_1
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_1_4_1 --share
Controls
- API Gateway routes should specify an authorization type
- API Gateway stage should be associated with waf
- EC2 instances should be in a VPC
- ElastiCache clusters should not use the default subnet group
- AWS Redshift enhanced VPC routing should be enabled
- SageMaker notebook instances should be in a VPC
- VPC internet gateways should be attached to authorized vpc
- VPC route table should restrict public access to IGW
- Both VPN tunnels provided by AWS Site-to-Site VPN should be in UP status