aws_compliance

Manage access to resources in the AWS Cloud by ensuring common ports are restricted on AWS Elastic Compute Cloud (AWS EC2) Security Groups.

vpc_security_group_restrict_ingress_tcp_udp_all

pci_dss_v321_requirement_1_1_4_c

1.1.4.c Observe network configurations to verify that a firewall is in place at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone, per the documented configuration standards and network diagrams

pci_dss_v321_requirement_1_2_1_a

1.2.1.a Examine firewall and router configuration standards to verify that they identify inbound and outbound traffic necessary for the cardholder data environment

pci_dss_v321_requirement_1_2_1_b

1.2.1.b Examine firewall and router configurations to verify that inbound and outbound traffic is limited to that which is necessary for the cardholder data environment

pci_dss_v321_requirement_1_2_1_c

1.2.1.c Examine firewall and router configurations to verify that all other inbound and outbound traffic is specifically denied, for example by using an explicit “deny all” or an implicit deny after allow statement

pci_dss_v321_requirement_1_2_3_b

1.2.3.b Verify that the firewalls deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment

pci_dss_v40_requirement_1_2_5

1.2.5: All services, protocols, and ports allowed are identified, approved, and have a defined business need

pci_dss_v40_requirement_1_2_8

1.2.8: Configuration files for NSCs are secured from unauthorized access and are kept consistent with active network configurations

pci_dss_v40_requirement_1_3_1

1.3.1: Inbound traffic to the CDE is restricted as follows: To only traffic that is necessary, All other traffic is specifically denied

pci_dss_v321_requirement_1_3_2

1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ

pci_dss_v40_requirement_1_3_2

1.3.2: Outbound traffic from the CDE is restricted as follows: To only traffic that is necessary, All other traffic is specifically denied

pci_dss_v321_requirement_1_3_5

1.3.5 Examine firewall and router configurations to verify that the firewall permits only established connections into the internal network and denies any inbound connections not associated with a previously established session

pci_dss_v40_requirement_1_4_2

1.4.2: Inbound traffic from untrusted networks to trusted networks is restricted

pci_dss_v40_requirement_1_5_1

1.5.1 Security controls are implemented on any computing devices, including company- and employee-owned devices, that connect to both untrusted networks

gxp_21_cfr_part_11_11_10_d

11.10(d) Limiting system access to authorized individuals

gxp_21_cfr_part_11_11_10_g

11.10(g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand

gxp_21_cfr_part_11_11_10_k

11.10(k) Use of appropriate controls over systems documentation that includes adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance

pci_dss_v40_requirement_11_3_1_1

11.3.1.1: All other applicable vulnerabilities (those not ranked as high-risk vulnerabilities or critical vulnerabilities according to the entity's vulnerability risk rankings)

pci_dss_v40_requirement_11_3_1_3

11.3.1.3: 3 Internal vulnerability scans are performed after any significant change

pci_dss_v40_requirement_11_5_1_1

11.5.1.1: Additional requirement for service providers only: Intrusion-detection and/or intrusion-prevention techniques detect, alert on/prevent, and address covert malware communication channels

pci_dss_v40_requirement_11_5_2

11.5.2: A change-detection mechanism (for example, file integrity monitoring tools) is deployed

hipaa_final_omnibus_security_rule_2013_164_308_a_1_ii_b

164.308(a)(1)(ii)(B) Risk management

hipaa_security_rule_2003_164_308_a_1_ii_b

hipaa_final_omnibus_security_rule_2013_164_312_e_1

164.312(e)(1) Transmission security

pci_dss_v40_requirement_2_2_5

2.2.5: System components cannot be compromised by exploiting insecure services, protocols, or daemons

nist_800_171_rev_2_3_1_1

3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems)

nist_800_171_rev_2_3_1_14

3.1.14 Route remote access via managed access control points

nist_800_171_rev_2_3_1_2

3.1.2 Limit system access to the types of transactions and functions that authorized users are permitted to execute

nist_800_171_rev_2_3_1_20

3.1.20 Verify and control/limit connections to and use of external systems

nist_800_171_rev_2_3_1_3

3.1.3 Control the flow of CUI in accordance with approved authorizations

nist_800_171_rev_2_3_13_1

3.13.1 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems

nist_800_171_rev_2_3_13_2

3.13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems

nist_800_171_rev_2_3_13_5

3.13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks

nist_800_171_rev_2_3_13_6

3.13.6 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception)

nist_800_171_rev_2_3_4_7

3.4.7 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services

pci_dss_v40_requirement_7_2_1

7.2.1: An access control model is defined and includes granting access

pci_dss_v40_requirement_7_3_1

7.3.1: An access control system(s) is in place that restricts access based on a user's need to know and covers all system components

rbi_itf_nbfc_8_I

8.I Basic Security Aspects

pci_dss_v40_appendix_a1_1_3

A1.1.3: Controls are implemented such that each customer can only access resources allocated to them

fedramp_moderate_rev_4_ac_17_1

AC-17(1) Automated Monitoring/Control

nist_800_53_rev_5_ac_17_1

AC-17(1) Monitoring And Control

nist_800_53_rev_5_ac_17_10

AC-17(10) Authenticate Remote Commands

nist_800_53_rev_5_ac_17_4_a

AC-17(4)(a)

nist_800_53_rev_5_ac_17_9

AC-17(9) Disconnect Or Disable Access

nist_800_53_rev_5_ac_17_b

AC-17(b)

fedramp_moderate_rev_4_ac_21_b

AC-21(b)

nist_800_53_rev_5_ac_4_21

AC-4(21) Physical Or Logical Separation Of Infomation Flows

rbi_cyber_security_annex_i_5_1

Annex I (5.1)

fedramp_moderate_rev_4_cm_2

Baseline Configuration (CM-2)

fedramp_low_rev_4_cm_2

fedramp_low_rev_4_sc_7

Boundary Protection (SC-7)

fedramp_moderate_rev_4_sc_7

nist_800_53_rev_4_sc_7

soc_2_cc_6_1

CC6.1 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives

soc_2_cc_6_2

CC6.2 Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity

soc_2_cc_6_6

CC6.6 The entity implements logical access security measures to protect against threats from sources outside its system boundaries

ffiec_d_3_pc_am_b_10

D3.PC.Am.B.10

ffiec_d_3_pc_im_b_2

D3.PC.IM.B.2

ffiec_d_3_pc_im_b_1

D3.PC.Im.B.1

ffiec_d_3_pc_im_b_6

D3.PC.Im.B.6

ffiec_d_4_c_co_b_2

D4.C.Co.B.2

nist_csf_de_ae_1

DE.AE-1

nist_800_53_rev_4_ac_4

Information Flow Enforcement (AC-4)

fedramp_moderate_rev_4_ac_4

fedramp_moderate_rev_4_sc_4

Information In Shared Resources (SC-4)

nist_csf_pr_ac_3

PR.AC-3

nist_csf_v2_pr_ir_01

PR.IR-01

nist_csf_pr_pt_4

PR.PT-4

nist_csf_v2_rs_mi_01

RS.MI-01

nist_csf_v2_rs_mi_02

RS.MI-02

fedramp_low_rev_4_ac_17

Remote Access (AC-17)

nist_800_53_rev_5_sc_7_11

SC-7(11) Restrict Incoming communications Traffic

nist_800_53_rev_5_sc_7_12

SC-7(12) Host-Based Protection

nist_800_53_rev_5_sc_7_16

SC-7(16) Prevent Discovery Of System Components

nist_800_53_rev_5_sc_7_21

SC-7(21) Isolation Of System Components

nist_800_53_rev_5_sc_7_24_b

SC-7(24)(b)

fedramp_moderate_rev_4_sc_7_3

SC-7(3) Access Points

nist_800_53_rev_4_sc_7_3

nist_800_53_rev_5_sc_7_5

SC-7(5) Deny By Default — Allow By Exception

nist_800_53_rev_5_sc_7_7

SC-7(7) Split Tunneling For Remote Devices

nist_800_53_rev_5_sc_7_a

SC-7(a)

nist_800_53_rev_5_sc_7_c

SC-7(c)

all_controls_vpc

cisa_cyber_essentials_your_data_2

Your Data-2

cisa_cyber_essentials_your_systems_3

Your Systems-3

VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0

Run individual configuration, compliance and security controls or full compliance benchmarks for CIS, FFIEC, PCI, NIST, HIPAA, RBI CSF, GDPR, SOC 2, Audit Manager Control Tower, FedRAMP, GxP and AWS Foundational Security Best Practices controls across all your AWS accounts using Powerpipe and Steampipe.

AWS Compliance

Apache License 2.0

steampipe-mod-aws-compliance

Control: VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0

Description

Usage

SQL

Tags