Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
35Dashboards
1534Benchmarks
673Queries
9Variables
GitHub

Control: 180 EC2 network interfaces should have source/destination checking enabled

Description

This control checks whether source/destination checking is enabled for an Amazon EC2 elastic network interface (ENI) that's managed by users. The control fails if source/destination checking is disabled for the user-managed ENI. This control checks only the following types of ENIs: aws_codestar_connections_managed, branch, efa, interface, lambda, and quicksight.

Source/destination checking for Amazon EC2 instances and attached ENIs should be enabled and configured consistently across your EC2 instances. Each ENI has its own setting for source/destination checks. If source/destination checking is enabled, Amazon EC2 enforces source/destination address validation, which ensures that an instance is either the source or the destination of any traffic that it receives. This provides an additional layer of network security by preventing resources from handling unintended traffic and preventing IP address spoofing.

Remediation

For information about enabling source/destination checks for an Amazon EC2 ENI, see Modify network interface attributes in the Amazon EC2 User Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_ec2_180

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_ec2_180 --share

SQL

This control uses a named query:

select
  network_interface_id as resource,
  case
    when interface_type not in ('aws_codestar_connections_managed', 'branch', 'efa', 'interface', 'lambda', 'quicksight') then 'skip'
    when source_dest_check then 'ok'
    else 'alarm'
  end as status,
  case
    when interface_type not in ('aws_codestar_connections_managed', 'branch', 'efa', 'interface', 'lambda', 'quicksight') then title || ' is of ' || interface_type || ' network interface.'
    when source_dest_check then title || ' source destination check enabled.'
    else title || ' source destination check disabled.'
  end as reason
  
  , region, account_id
from
  aws_ec2_network_interface;

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = network_security
foundational_security_item_id = ec2_180
plugin = aws
service = AWS/EC2