Networking policies
Ensure AWS Security Group does not allow all traffic on SSH port 22
Ensure Security Groups do not allow ingress from 0.0.0.0/0 to port 3389
Ensure AWS Default Security Group restricts all traffic
Ensure VPC peering routing tables have least access
Ensure EC2 instances do not have security groups attached
Ensure AWS VPC endpoints are not exposed
Ensure Security Groups do not have unrestricted access
Ensure Security Groups accept traffic only from ports 80 and 443
Ensure EC2 instance does not have unrestricted security group attached
Ensure RDS database does not have unrestricted security group attached
Ensure network interface does not have unrestricted security group attached
Ensure classical load balancer does not have unrestricted security group attached
Ensure application load balancer does not have unrestricted security group attached
Do not use default settings of a VPC
Ensure Internet-facing ELBs are whitelisted
Ensure ALB protocol is HTTPS
Violation ID: BC_AWS_NETWORKING_29
Ensure every Security Group rule has a description
Ensure CloudFront distribution ViewerProtocolPolicy is set to HTTPS
Ensure CloudFront distributions do not use deprecated SSL protocols
Ensure ELBs do not allow insecure SSL protocols or ciphers
Ensure EC2 instances behind load balancers are not publicly accessible
Ensure DocDB TLS is not disabled
Ensure AWS SageMaker notebook instance is configured with direct internet access feature
VPC endpoint service is configured for manual acceptance
Ensure Amazon EMR clusters' security groups are not open to the world
Ensure that ALB drops HTTP headers
Ensure that Elasticsearch is configured inside a VPC
Ensure ELB has cross-zone-load-balancing enabled
AWS Redshift Clusters Should Not Be Publicly Accessible
Ensure auto scaling groups associated with a load balancer use elastic load balancing health checks
Ensure AWS EC2 instance is configured with VPC
Ensure all EIP addresses allocated to a VPC are attached to EC2 instances or NAT Gateways
Ensure ALB redirects HTTP requests into HTTPS ones
Ensure all NACL are attached to subnets
Ensure Security Groups are attached to EC2 instances or ENIs
Ensure S3 Bucket has public access blocks
Ensure VPC subnets do not assign public IP by default
Ensure no default VPC is planned to be provisioned
Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled
Ensure Redshift is not deployed outside of a VPC
Ensure Transfer Server is not exposed publicly
Ensure public facing ALB are protected by WAF