Benchmark: 1.4.4: System components that store cardholder data are not directly accessible from untrusted networks
Description
Cardholder data that is directly accessible from an untrusted network, for example, because it is stored on a system within the DMZ or in a cloud database service, is easier for an external attacker to access because there are fewer defensive layers to penetrate. Using NSCs to ensure that system components that store cardholder data (such as a database or a file) can only be directly accessed from trusted networks can prevent unauthorized network traffic from reaching the system component.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select 1.4.4: System components that store cardholder data are not directly accessible from untrusted networks.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_1_4_4
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_1_4_4 --share
Controls
- API Gateway routes should specify an authorization type
- API Gateway stage should be associated with waf
- EC2 instances should be in a VPC
- ElastiCache clusters should not use the default subnet group
- AWS Redshift enhanced VPC routing should be enabled
- SageMaker notebook instances should be in a VPC
- VPC internet gateways should be attached to authorized vpc
- VPC route table should restrict public access to IGW
- Both VPN tunnels provided by AWS Site-to-Site VPN should be in UP status