Infrastructure-as-Code Scan Results
Configuration: Terraform Controls
Result:
Failed
scan on May 01, 2020 @ 18:07:19 with 1 skipped resources.
Information on the scan is included below. Note that you can click on the Insight for more information.
Network Without Traffic Logging
| Address |
Name |
Region |
Status |
| aws_vpc.my_vpc |
tf-example |
us-east-2 |
Failed
|
| None |
VPCPrep |
us-east-2 |
Failed
|
Overview
Network Traffic Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your network. Network Traffic Logs provide visibility into network traffic that traverses the network and can be used to detect anomalous traffic or insight during security workflows.
Remediation
Leverage Bot automation to identify and monitor for Networks without traffic logging enabled. Take automated action to delete networks
Recommend Bot Workflow
- Mark Resource Noncompliant: Mark Networks without traffic logging enabled
- Send Email/Slack Notification: Notify operations/security team of Networks without traffic logging enabled. Separately, using cloud badges or resource tags, identify Network owners and notify them of the steps needed to enable traffic logging
- Delete Resource: After providing sufficient time for corrective action, delete Network
Amazon Web Services
- Sign into the management console
- Select Services then VPC
- In the left navigation pane, select Your VPCs
- Select a VPC
- In the right pane, select the Flow Logs tab.
- If no Flow Log exists, click Create Flow Log
- For Filter, select Reject
- Enter in a Role and Destination Log Group
- Click Create Log Flow
- Click on CloudWatch Logs Group
Compliance Information
- NIST 800-53 (Rev 4) - Do not publish: AU-12
- HIPAA: Audit Controls - §164.312(b)
- NIST 800-53: AU-12
- PCI DSS: Requirement 10: Track and monitor all access to network
resources and cardholder data
- NIST Cyber Security Framework (CSF): DE.CM-1
- Center for Internet Security (CIS) - AWS: Logging 2.9
- GDPR: Article 30: Maintain Records of Processing Activities
- ISO 27001: A.10.10.1 - Audit Logging
- SOC 2: A1.2, CC6.1
- FedRAMP CCM 3.0.1: IVS-01
Instance Associated With Default Access List (Security Group)
| Address |
Name |
Region |
Status |
| aws_instance.foo |
aws_instance.foo |
us-east-2 |
Success
|
Overview
Cloud Networks come with default Access Lists (Security Groups) with initial settings that deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. Users often change these settings, however, to make the security groups more permissive. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group, which may have been changed with more permissive settings. As security groups provide stateful filtering of ingress/egress network traffic to cloud resources, it is recommended that all instances are assigned to a specific security group (and that the default security group restrict all traffic).
Remediation
Leverage Bot automation to identify and monitor for Instances associated with default Access Lists (Security Groups). Take automated action to remove default security groups
Recommend Bot Workflow
- Mark Resource Noncompliant: Mark Instances associated with default Access Lists (Security Groups)
- Send Email/Slack Notification: Notify operations/security team of Instances associated with default Access Lists (Security Groups). Separately, using cloud badges or resource tags, identify Instance owners and notify them of the steps needed to remove default Access Lists (Security Groups)
- Modify Security Groups: After providing sufficient time for corrective action, remove the default Access Lists (Security Groups)
Amazon Web Services
- Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home
- Repeat the next steps for all VPCs - including the default VPC in each AWS region:
- In the left pane, click Security Groups
- For each default security group, perform the following:
o Select the default security group
o Click the Inbound Rules tab
o Remove any inbound rules
o Click the Outbound Rules tab
o Remove any outbound rules
Compliance Information
- FedRAMP CCM 3.0.1: IVS-11
- NIST 800-53 (Rev 4) - Do not publish: AC-6, AC-17, AC-17(1), RA-5, SA-17(7)
- GDPR: Article 25: Data protection by Design and by Default
- Center for Internet Security (CIS) - AWS: Networking 4.4
- SOC 2: C1.1, C1.2, C1.7
Instance With a Public IP Exposing SSH
| Address |
Name |
Region |
Status |
| aws_instance.foo |
aws_instance.foo |
us-east-2 |
Success
|
Overview
Security groups provide stateful filtering of ingress/egress network traffic to cloud resources. It is recommended that no security group allows unrestricted ingress access to port 22.
Remediation
Leverage Bot automation to identify and monitor for Instances for public exposure of port 22. Take automated action to modify Instance security groups, disassociate public IPs, or modify lifecycle state by stopping or (backing up and then) terminating Instances
Recommend Bot Workflow
- Mark Resource Noncompliant: Mark instances with a public IP address and that is exposing SSH
- Send Email/Slack Notification: Notify operations/security team of instances with a public IP address and that is exposing SSH. Separately, using cloud badges or resource tags, identify Instance owners and notify them of the steps needed to disable public exposure of port 22
- Modify Security Groups: After providing sufficient time for corrective action, modify the Instances' security groups
- Disassociate Public IP: After providing sufficient time for corrective action, disassociate the Instances' public IP
- Stop Instance: After providing sufficient time for corrective action, stop Instances
- Terminate Instance: After providing sufficient time for corrective action, Create Image of Instances and then terminate
Amazon Web Services
- Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home
- In the left pane, click Security Groups
- For each security group, perform the following:
o Select the security group
o Click the Inbound Rules tab
o Identify the rules to be removed
o Click the x in the Remove column
o Click Save
Compliance Information
- NIST 800-53 (Rev 4) - Do not publish: AC-6, AC-17, AC-17(1), RA-5, SC-7, SC-8, SA-17(7)
- PCI DSS: Requirement 1: Install and maintain a firewall configuration to
protect cardholder data
- NIST Cyber Security Framework (CSF): ID.RA-1
- Center for Internet Security (CIS) - AWS: Networking 4.1
- NIST 800-53: CM-7
- GDPR: Article 25: Data protection by Design and by Default
- SOC 2: C1.2, C1.3, C1.7, CC5.6
Private Subnet Using Default Access Lists (NACLs)
| Address |
Name |
Region |
Status |
| aws_subnet.my_subnet |
tf-example |
us-east-2 |
Success
|
Overview
Private Subnets come with default Access Lists (NACLs) with initial settings that allow all inbound and outbound traffic. If you don't specify a NACL when you create a Subnet, the Subnet is automatically assigned to this default NACL. It is recommended that all Private Subnets be assigned a specific NACL.
Remediation
Leverage Bot automation to identify and monitor for Private Subnets associated with default Access Lists (NACLs)
Recommend Bot Workflow
- Mark Resource Noncompliant: Mark Private Subnets associated with default Access Lists (NACLs)
- Send Email/Slack Notification: Notify operations/security team of Private Subnets associated with default Access Lists (NACLs). Separately, using cloud badges or resource tags, identify Private Subnet owners and notify them of the steps needed to remove default Access Lists (NACLs)
Amazon Web Services
- Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home
- Repeat the next steps for all VPCs:
- In the left pane, click Network ACLs
- For each default NACL, perform the following:
o Click the Inbound Rules tab
o Remove any inbound rules
o Click the Outbound Rules tab
o Remove any outbound rules
Compliance Information
- FedRAMP CCM 3.0.1: IVS-11
- NIST 800-53 (Rev 4) - Do not publish: AC-6, SA-17(7)
- GDPR: Article 32: Security of processing
- ISO 27001: A.10.6.2 - Network security management
- Center for Internet Security (CIS) - AWS: Networking 4.4
- SOC 2: C1.1, C1.2
