Loading controls...
Benchmark: Boundary Protection (SC-7)
Description
The information system: a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.
Usage
Browse dashboards and select Boundary Protection (SC-7):
steampipe dashboardOr run the benchmarks in your terminal:
steampipe check aws_compliance.benchmark.fedramp_low_rev_4_sc_7Snapshot and share results via Steampipe Cloud:
steampipe loginsteampipe check --share aws_compliance.benchmark.fedramp_low_rev_4_sc_7Controls
- DMS replication instances should not be publicly accessible
- EBS snapshots should not be publicly restorable
- EC2 instances should be in a VPC
- EC2 instances should not have a public IP address
- ELB application load balancers should redirect HTTP requests to HTTPS
- ELB application load balancers should have Web Application Firewall (WAF) enabled
- ELB classic load balancers should use SSL certificates
- ELB classic load balancers should only use SSL or HTTPS listeners
- EMR cluster master nodes should not have public IP addresses
- ES domains should be in a VPC
- Elasticsearch domain node-to-node encryption should be enabled
- Lambda functions should be in a VPC
- Lambda functions should restrict public access
- RDS DB instances should prohibit public access
- RDS snapshots should prohibit public access
- Redshift cluster encryption in transit should be enabled
- Redshift clusters should prohibit public access
- S3 buckets should enforce SSL
- S3 buckets should prohibit public read access
- S3 buckets should prohibit public write access
- S3 public access should be blocked at account level
- S3 public access should be blocked at bucket levels
- SageMaker notebook instances should not have direct internet access
- VPC default security group should not allow inbound and outbound traffic
- VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
- VPC security groups should restrict ingress SSH access from 0.0.0.0/0
- VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0
- VPC subnet auto assign public IP should be disabled
- Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs)