Benchmark: 6.4.2: For public-facing web applications, an automated technical solution is deployed that continually detects and prevents web-based attacks
Description
Public-facing web applications are primary targets for attackers, and poorly coded web applications provide an easy path for attackers to gain access to sensitive data and systems.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select 6.4.2: For public-facing web applications, an automated technical solution is deployed that continually detects and prevents web-based attacks.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_6_4_2
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_6_4_2 --share
Controls
- API Gateway stage should be associated with waf
- CloudFront distributions should have AWS WAF enabled
- ELB application load balancers should have Web Application Firewall (WAF) enabled
- WAF regional rule should have at least one condition
- WAF regional rule group should have at least one rule attached
- WAF regional web ACL should have at least one rule or rule group attached
- WAF global rule should have at least one condition
- WAF global rule group should have at least one rule
- WAF web ACL should be associated with an Application Load Balancer, API Gateway stage, or CloudFront distributions
- WAF global web ACL should have at least one rule or rule group
- A WAFV2 web ACL should have at least one rule or rule group