Benchmark: 2.2.5: System components cannot be compromised by exploiting insecure services, protocols, or daemons
Description
Ensuring that all insecure services, protocols, and daemons are adequately secured with appropriate security features makes it more difficult for malicious individuals to exploit common points of compromise within a network.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select 2.2.5: System components cannot be compromised by exploiting insecure services, protocols, or daemons.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_2_2_5
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_2_2_5 --share
Controls
- CloudFront distributions should encrypt traffic to custom origins
- CloudFront distributions should require encryption in transit
- CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins
- CloudFront distributions should use SNI to serve HTTPS requests
- CloudFront distributions should use secure SSL cipher
- ELB application load balancers should redirect HTTP requests to HTTPS
- ELB classic load balancers should only use SSL or HTTPS listeners
- EMR cluster Kerberos should be enabled
- Elasticsearch domain node-to-node encryption should be enabled
- OpenSearch domains should use HTTPS
- OpenSearch domains node-to-node encryption should be enabled
- Redshift cluster encryption in transit should be enabled
- S3 buckets should enforce SSL
- VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
- VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0