Benchmark: Annex I (5.1)
Description
The firewall configurations should be set to the highest security level and evaluation of critical device (such as firewall, network switches, security devices, etc.) configurations should be done periodically.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select Annex I (5.1).
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.rbi_cyber_security_annex_i_5_1
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.rbi_cyber_security_annex_i_5_1 --share
Controls
- API Gateway stage should be associated with waf
- ELB application load balancers should have Web Application Firewall (WAF) enabled
- VPC default security group should not allow inbound and outbound traffic
- VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
- VPC security groups should restrict ingress SSH access from 0.0.0.0/0
- VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0