Benchmark: 1.5.1 Security controls are implemented on any computing devices, including company- and employee-owned devices, that connect to both untrusted networks
Description
Computing devices that are allowed to connect to the Internet from outside the corporate environment—for example, desktops, laptops, tablets, smartphones, and other mobile computing devices used by employees—are more vulnerable to Internet-based threats.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select 1.5.1 Security controls are implemented on any computing devices, including company- and employee-owned devices, that connect to both untrusted networks.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_1_5_1
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_1_5_1 --share
Controls
- API Gateway routes should specify an authorization type
- API Gateway stage should uses SSL certificate
- CloudFront distributions should use custom SSL/TLS certificates
- CloudFront distributions should have AWS WAF enabled
- CodeBuild GitHub or Bitbucket source repository URLs should use OAuth
- DMS replication instances should not be publicly accessible
- Amazon DocumentDB cluster snapshots should not be public
- EC2 transit gateways should have auto accept shared attachments disabled
- EKS clusters endpoint should restrict public access
- ELB application and network load balancers should only use SSL or HTTPS listeners
- ELB classic load balancers should use SSL certificates
- EMR account public access should be blocked
- ES domains should be in a VPC
- Lambda functions should be in a VPC
- Lambda functions should restrict public access
- The default stateless action for Network Firewall policies should be drop or forward for fragmented packets
- Network Firewall policies should have at least one rule group associated
- Stateless network firewall rule group should not be empty
- OpenSearch domains should be in a VPC
- RDS DB instances should prohibit public access
- Redshift clusters should prohibit public access
- S3 access points should have block public access settings enabled
- S3 buckets should prohibit public read access
- S3 buckets should prohibit public write access
- S3 public access should be blocked at account level
- S3 public access should be blocked at bucket levels
- SageMaker notebook instances should not have direct internet access
- SageMaker notebook instances should be in a VPC
- SSM managed instance associations should be compliant
- VPC should be configured to use VPC endpoints
- VPC internet gateways should be attached to authorized vpc
- Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389
- VPC network access control lists (network ACLs) should be associated with a subnet.
- VPC route table should restrict public access to IGW
- VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
- VPC security groups should restrict ingress SSH access from 0.0.0.0/0
- VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0
- WAF regional rule should have at least one condition
- WAF regional rule group should have at least one rule attached
- WAF regional web ACL should have at least one rule or rule group attached
- WAF global rule should have at least one condition
- WAF global rule group should have at least one rule
- WAF global web ACL should have at least one rule or rule group