Benchmark: 6.4.1: For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis and these applications are protected against known attacks
Description
Public-facing web applications are those that are available to the public (not only for internal use). These applications are primary targets for attackers, and poorly coded web applications provide an easy path for attackers to gain access to sensitive data and systems.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select 6.4.1: For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis and these applications are protected against known attacks.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_6_4_1
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_6_4_1 --share
Controls
- API Gateway stage should be associated with waf
- CloudFront distributions should have AWS WAF enabled
- ELB application load balancers should have Web Application Firewall (WAF) enabled
- WAF regional rule should have at least one condition
- WAF regional rule group should have at least one rule attached
- WAF regional web ACL should have at least one rule or rule group attached
- WAF global rule should have at least one condition
- WAF global rule group should have at least one rule
- WAF web ACL should be associated with an Application Load Balancer, API Gateway stage, or CloudFront distributions
- WAF global web ACL should have at least one rule or rule group
- A WAFV2 web ACL should have at least one rule or rule group