Benchmark: Access Enforcement (AC-3)

Usage

Browse dashboards and select Access Enforcement (AC-3):

steampipe dashboard

Or run the benchmarks in your terminal:

steampipe check aws_compliance.benchmark.fedramp_low_rev_4_ac_3

Snapshot and share results via Steampipe Cloud:

steampipe login
steampipe check --share aws_compliance.benchmark.fedramp_low_rev_4_ac_3

Controls

• Auto Scaling launch config public IP should be disabled
• DMS replication instances should not be publicly accessible
• EBS snapshots should not be publicly restorable
• EC2 instances should not have a public IP address
• EC2 instances should use IMDSv2
• ECS task definition container definitions should be checked for host mode
• EMR cluster master nodes should not have public IP addresses
• ES domains should be in a VPC
• Ensure IAM policy should not grant full access to service
• IAM groups should have at least one user
• IAM groups, users, and roles should not have any inline policies
• IAM policy should not have statements with admin access
• IAM root user should not have access keys
• IAM users should be in at least one group
• IAM user should not have any inline or attached policies
• IAM user credentials that have not been used in 90 days should be disabled
• Lambda functions should be in a VPC
• Lambda functions should restrict public access
• RDS DB instances should prohibit public access
• RDS snapshots should prohibit public access
• Redshift clusters should prohibit public access
• S3 buckets should prohibit public read access
• S3 buckets should prohibit public write access
• S3 public access should be blocked at account level
• S3 public access should be blocked at bucket levels
• SageMaker notebook instances should not have direct internet access
• VPC subnet auto assign public IP should be disabled

Tags