Benchmark: 3.1.3 Control the flow of CUI in accordance with approved authorizations
Description
Information flow control regulates where information can travel within a system and between systems (versus who can access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include the following: keeping exportcontrolled information from being transmitted in the clear to the Internet; blocking outside traffic that claims to be from within the organization; restricting requests to the Internet that are not from the internal web proxy server; and limiting information transfers between organizations based on data structures and content. Organizations commonly use information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within systems and between interconnected systems. Flow control is based on characteristics of the information or the information path. Enforcement occurs in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict system services, provide a packetfiltering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Transferring information between systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners or stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes: prohibiting information transfers between interconnected systems (i.e., allowing access only); employing hardware mechanisms to enforce one-way information flows; and implementing trustworthy regrading mechanisms to reassign security attributes and security labels.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-azure-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select 3.1.3 Control the flow of CUI in accordance with approved authorizations.
Run this benchmark in your terminal:
powerpipe benchmark run azure_compliance.benchmark.nist_sp_800_171_rev_2_3_1_3
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run azure_compliance.benchmark.nist_sp_800_171_rev_2_3_1_3 --share
Controls
- API Management services should use a virtual network
- App Configuration should use private link
- App Service apps should not have CORS configured to allow every resource to access your apps
- Cognitive Services should use private link
- Cognitive Services accounts should have local authentication methods disabled
- Disk access resources should use private link
- Management ports of virtual machines should be protected with just-in-time network access control
- All network ports should be restricted on network security groups associated to your virtual machine
- Internet-facing virtual machines should be protected with network security groups
- Container registries should not allow unrestricted network access
- Container registries should use private link
- CosmosDB accounts should use private link
- Azure Cosmos DB accounts should have firewall rules
- Azure Data Factory should use private link
- Azure Event Grid domains should use private link
- Azure Event Grid topics should use private link
- Event Hub namespaces should use private link
- Azure API for FHIR should use private link
- IoT Hub device provisioning service instances should use private link
- Azure Key Vault should have firewall enabled
- Azure Key Vaults should use private link
- Authorized IP ranges should be defined on Kubernetes Services
- Private endpoint should be enabled for MariaDB servers
- Public network access should be disabled for MariaDB servers
- Private endpoint should be enabled for MySQL servers
- Public network access should be disabled for MySQL servers
- IP Forwarding on your virtual machine should be disabled
- Management ports should be closed on your virtual machines
- Subnets should be associated with a Network Security Group
- Private endpoint should be enabled for PostgreSQL servers
- Public network access should be disabled for PostgreSQL servers
- Azure Cache for Redis should use private link
- Azure Cognitive Search services should disable public network access
- Azure Cognitive Search services should use private link
- Azure Cognitive Search service should use a SKU that supports private link
- Azure Service Bus namespaces should use private link
- Azure SignalR Service should use private link
- Public network access on Azure SQL Database should be disabled
- Private endpoint connections on Azure SQL Database should be enabled
- Storage account public access should be disallowed
- Storage accounts should restrict network access
- Storage accounts should restrict network access using virtual network rules
- Storage accounts should use private link
- Azure File Sync should use private link
- Azure Synapse workspaces should use private link