Benchmark: VPC
Description
This benchmark provides a set of controls that detect Terraform AWS VPC resources deviating from security best practices.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-terraform-aws-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select VPC.
Run this benchmark in your terminal:
powerpipe benchmark run terraform_aws_compliance.benchmark.vpcSnapshot and share results via Turbot Pipes:
powerpipe benchmark run terraform_aws_compliance.benchmark.vpc --shareControls
- VPC default security group should not allow inbound and outbound traffic
- VPC EC2 transit gateway should not automatically accept VPC attachment requests
- VPC EIPs should be associated with an EC2 instance or ENI
- VPC endpoint service acceptance should be enabled
- VPC flow logs should be enabled
- VPC internet gateways should be attached to authorized VPC
- Network ACL should not allow unrestricted FTP port 20 access
- Network ACL should not allow unrestricted FTP port 21 access
- Network ACL should not allow unrestricted RDP port 3389 access
- Network ACL should not allow unrestricted SSH port 22 access
- Network ACL ingress rule should not allow access to all ports
- Unused network access control lists should be removed
- VPC network firewall should have deletion protection enabled
- VPC network firewall should be encrypted with KMS CMK
- VPC network firewall policy should define a encryption configuration that uses KMS CMK
- VPC network firewall rule group should be encrypted with KMS CMK
- VPC security groups should be associated with at least one ENI
- VPC security group should have description for rules
- Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389
- VPC security groups should restrict ingress SSH access from 0.0.0.0/0
- VPC security group rule should have description for rules
- VPC subnet auto-assign public IP should be disabled
- VPC transfer server should allow only secure protocols
- VPC transfer server should not be publicly accessible