Benchmark: Boundary Protection (SC-7)
Description
The information system: a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-azure-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select Boundary Protection (SC-7).
Run this benchmark in your terminal:
powerpipe benchmark run azure_compliance.benchmark.fedramp_high_sc_7Snapshot and share results via Turbot Pipes:
powerpipe benchmark run azure_compliance.benchmark.fedramp_high_sc_7 --shareBenchmarks
Controls
- API Management services should use a virtual network
- App Configuration should use private link
- Web Application Firewall (WAF) should be enabled for Application Gateway
- Cognitive Services should use private link
- Disk access resources should use private link
- Management ports of virtual machines should be protected with just-in-time network access control
- All network ports should be restricted on network security groups associated to your virtual machine
- Internet-facing virtual machines should be protected with network security groups
- Container registries should not allow unrestricted network access
- Container registries should use private link
- CosmosDB accounts should use private link
- Azure Cosmos DB accounts should have firewall rules
- Azure Data Factory should use private link
- Azure Event Grid domains should use private link
- Azure Event Grid topics should use private link
- Event Hub namespaces should use private link
- Web Application Firewall (WAF) should be enabled for Azure Front Door Service
- Azure API for FHIR should use private link
- IoT Hub device provisioning service instances should use private link
- Azure Key Vault should have firewall enabled
- Azure Key Vaults should use private link
- Authorized IP ranges should be defined on Kubernetes Services
- Private endpoint should be enabled for MariaDB servers
- Public network access should be disabled for MariaDB servers
- Private endpoint should be enabled for MySQL servers
- Public network access should be disabled for MySQL servers
- IP Forwarding on your virtual machine should be disabled
- Management ports should be closed on your virtual machines
- Subnets should be associated with a Network Security Group
- Private endpoint should be enabled for PostgreSQL servers
- Public network access should be disabled for PostgreSQL servers
- Azure Cache for Redis should use private link
- Azure Cognitive Search services should disable public network access
- Azure Cognitive Search services should use private link
- Azure Cognitive Search service should use a SKU that supports private link
- Azure Service Bus namespaces should use private link
- Azure SignalR Service should use private link
- Public network access on Azure SQL Database should be disabled
- Private endpoint connections on Azure SQL Database should be enabled
- Storage account public access should be disallowed
- Storage accounts should restrict network access
- Storage accounts should restrict network access using virtual network rules
- Storage accounts should use private link
- Azure File Sync should use private link
- Azure Synapse workspaces should use private link