AlgoSec Best Practices for AWS provide a baseline for your cloud network configuration and security policy across all your AWS accounts, assets, and security controls.
To read more about AlgoSec Best Practices, please visit AlgoSec home page .
AlgoSec Best Practices requirements (64)
| Severity | Requirement | Title | Description | Remediation | |
|---|---|---|---|---|---|
| O01-I-SG | High | AlgoSec O01-I-SG | Outbound "To Any allow Any service" rules to Public IPs | Outbound rules of the form "to Any with service Any" are usually more open than is necessary. Allowing all services allows many services that are known to be risky, most of which you probably do not use in your business. Allowing access to all destinations may allow exfiltration of information. | Restrict the rules to refer to the destination IPs you really use, and to the the services your applications rely on by deploying a stateful firewall for outbound traffic. |
| O02-I-SG | Critical | AlgoSec O02-I-SG | Outbound "To Any allow all TCP" rules to Public IPs | Outbound rules of the form "to Any with all TCP" are usually more open than is necessary. Allowing all TCP allows many services that are known to be risky, most of which you probably do not use in your business. Allowing access to all destinations may allow exfiltration of information. | Restrict the rules to refer to the destination IPs you really use, and to the the services your applications rely on by deploying a stateful firewall for outbound traffic. |
| O03-I-SG | Critical | AlgoSec O03-I-SG | Outbound "To Any allow all UDP" rules to Public IPs | Outbound rules of the form "to Any with all UDP" are usually more open than is necessary. Allowing all UDP allows many services that are known to be risky, most of which you probably do not use in your business. Allowing access to all destinations may allow exfiltration of information. | Restrict the rules to refer to the destination IPs you really use, and to the the services your applications rely on by deploying a stateful firewall for outbound traffic. |
| O04-I-SG | High | AlgoSec O04-I-SG | TCP on all ports can exit your network to Public IPs | Allowing TCP on all ports to exit your network is extremely risky since this includes many vulnerable services. The largest threat is that of Trojan horses contacting their controllers, followed by unintended information leakage, and spreading of malicious code like viruses and worms. | Review all the rules that allow outbound traffic with TCP on all ports, and limit them to those services you actually require by deploying a stateful firewall for outbound traffic. |
| O05-I-SG | High | AlgoSec O05-I-SG | "Any" service can exit your network to Public IPs | Allowing "Any" service to exit your network is extremely risky since the "Any" service includes many vulnerable services. The largest threat is that of Trojan horses contacting their controllers, followed by unintended information leakage, and spreading of malicious code like viruses and worms. | Review all the rules that allow outbound traffic with the service "Any" service, and limit them to those services you actually require. |
| O06-I-SG | High | AlgoSec O06-I-SG | UDP on all ports can exit your network to Public IPs | Allowing UDP on all ports to exit your network is extremely risky since this includes many vulnerable services. The largest threat is that of Trojan horses contacting their controllers, followed by unintended information leakage, and spreading of malicious code like viruses and worms. | Review all the rules that allow outbound traffic with UDP on all ports, and limit them to those services you actually require by deploying a stateful firewall for outbound traffic. |
| O07-I-SG | High | AlgoSec O07-I-SG | FTP can exit your network to Public IPs | Letting FTP (File Transfer Protocol) exit your network is risky as it is not encrypted. It is only authenticated by simple passwords, that are transmitted in the clear. Serious vulnerabilities have been found in many versions of FTP server software. You may have many FTP servers on your internal networks and it is difficult to ensure that they are all properly hardened. A compromised or infected machine could access or damage the data on these servers. | Eliminate rules which allow access to this port to Public IPs. For file upload- use secure alternatives such as SFTP. |
| O08-I-SG | Medium | AlgoSec O08-I-SG | Risky Microsoft services can exit your network to Public IPs | Allowing Microsoft's NetBIOS services (UDP/137, UDP/138, TCP/135, TCP/139, TCP/445, TCP/593) to exit your network is risky. These services provide file and printer sharing for Microsoft Windows machines, and are among the most attacked services on the Internet. These Microsoft services are a vector for worms and viruses, and they potentially expose your network and data. | Eliminate rules which allow access to this port to public IPs. |
| O09-I-SG | Medium | AlgoSec O09-I-SG | SMTP can exit your network to more than 256 Public IPs | Allowing outbound SMTP access on TCP port 25/465/587 from many internal machines is risky. Outbound SMTP (E-mail) should only originate from your public mail servers. E-mail is a vector for many viruses and worms. Computers that can send E-mail directly (not through your organization's designated mail servers) can bypass your network's E-mail filters, and spread viruses and worms to other networks. Therefore, outbound SMTP access should be limited to your properly hardened public mail servers. | Restrict the rules to refer to only the destination IPs you really use, and limit the number of public IP addresses that can be reached on this port. |
| I01-I-SG | Critical | AlgoSec I01-I-SG | Inbound "From Any allow Any service" rules from Public IPs | Inbound rules of the form "From Any with service Any : PASS" are usually more open than is necessary. Allowing all services allows many services that are known to be risky, most of which you probably do not use in your business. Allowing access from all sources may allow access to from risky locations. This subnet is connected from internet, elevating the level of risk. | Restrict the rules to refer to only the source IPs and services you really use. |
| I02-I-SG | Critical | AlgoSec I02-I-SG | Inbound "From Any allow all TCP" rules from Public IPs | Inbound rules of the form "From Any with all TCP : PASS" are usually more open than is necessary. Allowing all TCP allows many services that are known to be risky, most of which you probably do not use in your business. Allowing access from all sources may allow access to from risky locations. This subnet is connected to the Internet, elevating the level of risk. | Restrict the rules to refer to only the source IPs and services you really use. |
| I03-I-SG | Critical | AlgoSec I03-I-SG | Inbound "From Any allow all UDP" rules from Public IPs | Inbound rules of the form "From Any with all UDP : PASS" are usually more open than is necessary. Allowing all UDP allows many services that are known to be risky, most of which you probably do not use in your business. Allowing access from all sources may allow access to from risky locations. This subnet is connected to the Internet, elevating the level of risk. | Restrict the rules to refer to only the source IPs and services you really use. |
| I04-I-SG | High | AlgoSec I04-I-SG | "Any" service can enter your network from Public IPs | Allowing the "Any" service to enter your network is extremely risky since the "Any" service includes many vulnerable services. This is risky even if the traffic is only allowed from business partners or through VPNs. | Review all the rules that allow inbound traffic with "Any" service, and limit them to those services you actually require. |
| I05-I-SG | High | AlgoSec I05-I-SG | TCP on all ports can enter your network from Public IPs | Allowing TCP on all ports to enter your network is extremely riskysince this includes many vulnerable services. This is risky even if the traffic is only allowed from business partners or through VPNs: a remote laptop connecting through a VPN could easily infect your network with a worm or virus. | Review all the rules that allow inbound traffic with TCP on all ports, and limit them to those services you actually require. |
| I06-I-SG | High | AlgoSec I06-I-SG | UDP on all ports can enter your network from Public IPs | Allowing UDP on all ports to enter your network is extremely risky since this includes many vulnerable services. This is risky even if the traffic is only allowed from business partners or through VPNs: a remote laptop connecting through a VPN could easily infect your network with a worm or virus. | Review all the rules that allow inbound traffic with UDP on all ports, and limit them to those services you actually require. |
| I07-I-SG | High | AlgoSec I07-I-SG | LDAP Port TCP/389, UDP/389 open from Public IPs | Your cloud LDAP server is accessible using the LDAP port (UDP/389, TCP/389). LDAP (Lightweight Directory Access Protocol) is a directory service for controling access to network capable devices. Allowing access to these ports from public IP addresses is risky. | Eliminate rules which allow access to this port from the Internet. |
| I08-I-SG | High | AlgoSec I08-I-SG | Port 3020 can enter your network from Public IPs | Your cloud estate is accessible using file sharing Protocol CIFS over port 3020. Allowing file sharing access from public IP addresses is risky. | Eliminate rules which allow access to this port from the Internet. |
| I09-I-SG | High | AlgoSec I09-I-SG | Database port TCP/9000 can enter your network from Public IPs | Your cloud Hadoop database is accessible using administrative port TCP/9000. Hadoop is a framework for distributed data processing that allows access to the data and may act as database. Opening Hadoop port for public IPs is risky | Eliminate rules which allow access to this port from the Internet. |
| I10-I-SG | High | AlgoSec I10-I-SG | Administrative port TCP/1434 can enter your network from Public IPs | Your cloud database managment system is accessible using the MSSQL administrative port TCP/1434. MSSQL is a Microsoft SQL server database managment system. Databases are the elements of Electronic Business, Financial, Banking, and Enterprise Resource Planning (ERP) system, and include critical information from partners, customers, and employees. Databases are extremely complex application and are, often times, difficult to correctly configure and secure. As a result serious security vulnerabilities and mis-configurations frequently go unchecked or completely undetected. For this reason, allowing direct inbound access to your corporate databases is risky. | Eliminate rules which allow access to this port from the Internet. |
| I11-I-SG | High | AlgoSec I11-I-SG | MSSQL(UDP/1434) can enter your network from Public IPs | Your cloud database managment system is accessible using the MSSQL port UDP/1434. MSSQL is a Microsoft SQL server database managment system. Databases are the elements of Electronic Business, Financial, Banking, and Enterprise Resource Planning (ERP) system, and include critical information from partners, customers, and employees. Databases are extremely complex application and are, often times, difficult to correctly configure and secure. As a result serious security vulnerabilities and mis-configurations frequently go unchecked or completely undetected. For this reason, allowing direct inbound access to your corporate databases is risky. | Eliminate rules which allow access to this port from the Internet. |
| I12-I-SG | High | AlgoSec I12-I-SG | Database port TCP/27017-27019 can enter your network from Public IPs | Your cloud database managment system is accessible using the Mongo Web Portal port with TCP/27018. Mongo Web Portal is a "mongodb" named protocol that allows access to MongoDB API. Databases are the elements of Electronic Business, Financial, Banking, and Enterprise Resource Planning (ERP) system, and include critical information from partners, customers, and employees. Databases are extremely complex application and are, often times, difficult to correctly configure and secure. As a result serious security vulnerabilities and mis-configurations frequently go unchecked or completely undetected. For this reason, allowing direct inbound access to your corporate databases is risky. | Eliminate rules which allow access to this port from the Internet. |
| I13-I-SG | High | AlgoSec I13-I-SG | Database port TCP/3306 can enter your network from Public IPs | Your cloud database managment system is accessible using the MySQL debug port TCP/3306. MySQL is a database managment system (RDBMS). Databases are the elements of Electronic Business, Financial, Banking, and Enterprise Resource Planning (ERP) system, and include critical information from partners, customers, and employees. Databases are extremely complex application and are, often times, difficult to correctly configure and secure. As a result serious security vulnerabilities and mis-configurations frequently go unchecked or completely undetected. For this reason, allowing direct inbound access to your corporate databases is risky. | Eliminate rules which allow access to this port from the Internet. |
| I14-I-SG | High | AlgoSec I14-I-SG | Administrative port UDP/161 can enter your network from Public IPs | Your cloud estate is accessible using the SNMP service (UDP/161). SNMP (Simple Network Management Protocol) is a protocol used to manage networking and edge devices. Allowing SNMP from public IP addresses is risky. | Eliminate rules which allow access to this port from the Internet. |
| I15-I-SG | High | AlgoSec I15-I-SG | Telnet can enter your network from Public IPs | Telnet is a remote-login service that is not encrypted. It is only authenticated by simple passwords, that are transmitted in the clear. | Eliminate rules which allow access to this port from the Internet. |
| I16-I-SG | High | AlgoSec I16-I-SG | Risky Microsoft services can enter your network from Public IPs | Allowing Microsoft's NetBIOS services (UDP/137, UDP/138, TCP/135, TCP/139, TCP/445, TCP/593) to cross into your network is extremely risky. These services provide file sharing Protocol SMB and printer sharing for Microsoft Windows machines, and are among the most attacked services on the Internet. These Microsoft services are a vector for worms and viruses, and they potentially expose your network and data. | Eliminate rules which allow access to this port from the Internet. |
| I17-I-SG | High | AlgoSec I17-I-SG | Database port TCP/1433 can enter your network from Public IPs | Your cloud database managment system is accessible using the MSSQL port TCP/1433. MSSQL is a Microsoft SQL server database managment system. Databases are the elements of Electronic Business, Financial, Banking, and Enterprise Resource Planning (ERP) system, and include critical information from partners, customers, and employees. Databases are extremely complex application and are, often times, difficult to correctly configure and secure. As a result serious security vulnerabilities and mis-configurations frequently go unchecked or completely undetected. For this reason, allowing direct inbound access to your corporate databases is risky. | Eliminate rules which allow access to this port from the Internet. |
| I18-I-SG | High | AlgoSec I18-I-SG | Database port TCP/5432 can enter your network from Public IPs | Allowing inbound access using database-access protocol PostgreSQL (TCP/5432) may expose your most critical databases to attack. Databases are the elements of Electronic Business, Financial, Banking, and Enterprise Resource Planning (ERP) system, and include critical information from partners, customers, and employees. Databases are extremely complex application and are, often times, difficult to correctly configure and secure. As a result serious security vulnerabilities and mis-configurations frequently go unchecked or completely undetected. For this reason, allowing direct inbound access to your corporate databases is risky. | Eliminate rules which allow access to this port from the Internet. |
| I19-I-SG | High | AlgoSec I19-I-SG | Database port TCP/523 can enter your network from Public IPs | Allowing inbound access using database-access protocol IBM DB2 (TCP/523) may expose your most critical databases to attack. Databases are the elements of Electronic Business, Financial, Banking, and Enterprise Resource Planning (ERP) system, and include critical information from partners, customers, and employees. Databases are extremely complex application and are, often times, difficult to correctly configure and secure. As a result serious security vulnerabilities and mis-configurations frequently go unchecked or completely undetected. For this reason, allowing direct inbound access to your corporate databases is risky. | Eliminate rules which allow access to this port from the Internet. |
| I20-I-SG | High | AlgoSec I20-I-SG | Database port TCP/1521 can enter your network from Public IPs | Allowing inbound access using database-access protocol Oracle's sqlnet (TCP/1521) may expose your most critical databases to attack. Databases are the elements of Electronic Business, Financial, Banking, and Enterprise Resource Planning (ERP) system, and include critical information from partners, customers, and employees. Databases are extremely complex application and are, often times, difficult to correctly configure and secure. As a result serious security vulnerabilities and mis-configurations frequently go unchecked or completely undetected. For this reason, allowing direct inbound access to your corporate databases is risky. | Eliminate rules which allow access to this port from the Internet. |
| I21-I-SG | Medium | AlgoSec I21-I-SG | RPC can enter your network from Public IPs | The Sunrpc service(TCP/UDP port 111) is used by the Unix "portmapper" daemon to support services like NFS. Allowing such traffic in could expose your data if you have Unix file servers. | Eliminate rules which allow access to this port from the Internet. |
| I22-I-SG | High | AlgoSec I22-I-SG | FTP can enter your network from Public IPs | Letting FTP (File Transfer Protocol) reach internal servers is risky as it is not encrypted. It is only authenticated by simple passwords, that are transmitted in the clear. Serious vulnerabilities have been found in many versions of FTP server software. You may have many FTP servers on your internal networks and it is difficult to ensure that they are all properly hardened. A compromised or infected machine could access or damage the data on these servers. | Eliminate rules which allow access to this port from the Internet. For file upload from the Internet - use secure alternatives such as SFTP. |
| I23-I-SG | Low | AlgoSec I23-I-SG | Version control services can enter your network from Public IPs | Allowing inbound access to version control systems like CVS (TCP/2401) or Subversion (TCP/3690) may be risky if you use these systems. Version control systems provide tools to manage different versions of documents or source code and facilitate multiple users to concurrently work on the same set of files. These systems have serious known vulnerabilities. | If you use either the CVS or the Subversion version control systems, eliminate rules which allow access to this port from the Internet. |
| I24-I-SG | High | AlgoSec I24-I-SG | Administrative port 22 (ssh) can enter your network from more than 256 Public IPs | Allowing access from more than 256 Public IP addresses using the SSH service (TCP/22) is risky. SSH is a remote-login service that allows command-line access to Linux/Unix-based servers and is generally used for server administration. Allowing administrative access from too many public IP addresses is risky. | Restrict the rules to refer to only the source IPs you really use, and limit the number of public IP addresses that have this administrative access. |
| I25-I-SG | High | AlgoSec I25-I-SG | Administrative port 3389(RDP) can enter your network from more than 256 Public IPs | Allowing access from from more than 256 Public IP addresses using the Microsoft RDP protocol over port 3389 is risky. RDP stands for Remote-Desktop and is a Windows service that allows remote-login to windows machines. RDP is used for Windows-based server administration. Allowing administrative access from too many public IP addresses is risky. | Restrict the rules to refer to only the source IPs you really use, and limit the number of public IP addresses that have this administrative access. |
| I26-I-SG | High | AlgoSec I26-I-SG | Inbound "From Any allow HTTP" rules from Public IPs | HTTP traffic is unencrypted and therefore insecure. All inbound web traffic should use HTTPS. | Restrict the rules to refer to only the source IPs you really use and change the application to use HTTPS. |
| I27-I-SG | Medium | AlgoSec I27-I-SG | Inbound "From Any allow HTTPS" rules from Public IPs | Allowing HTTPS from anywhere is risky unless it is to a public facing website. | Restrict the rules to refer to only the source IPs that need access to the protected site. |
| O01-NI-SG | Medium | AlgoSec O01-NI-SG | TCP on all ports can exit your network to Private IPs | Allowing TCP on all ports to exit your network is extremely risky since this includes many vulnerable services. The largest threat is that of Trojan horses contacting their controllers, followed by unintended information leakage, and spreading of malicious code like viruses and worms. | Review all the rules that allow outbound traffic with TCP on all ports, and limit them to those services you actually require by deploying a stateful firewall for outbound traffic. |
| O02-NI-SG | Medium | AlgoSec O02-NI-SG | "Any" service can exit your network to Private IPs | Allowing "Any" service to exit your network is extremely risky since the "Any" service includes many vulnerable services. The largest threat is that of Trojan horses contacting their controllers, followed by unintended information leakage, and spreading of malicious code like viruses and worms. | Review all the rules that allow outbound traffic with the service "Any" service, and limit them to those services you actually require by deploying a stateful firewall for outbound traffic. |
| O03-NI-SG | Medium | AlgoSec O03-NI-SG | UDP on all ports can exit your network to Private IPs | Allowing UDP on all ports to exit your network is extremely risky since this includes many vulnerable services. The largest threat is that of Trojan horses contacting their controllers, followed by unintended information leakage, and spreading of malicious code like viruses and worms. | Review all the rules that allow outbound traffic with UDP on all ports, and limit them to those services you actually require by deploying a stateful firewall for outbound traffic. |
| O04-NI-SG | Medium | AlgoSec O04-NI-SG | Risky Microsoft services can exit your network to Private IPs | Allowing Microsoft's NetBIOS services (UDP/137, UDP/138, TCP/135, TCP/139, TCP/445, TCP/593) to exit your network is risky. These services provide file and printer sharing for Microsoft Windows machines, and are among the most attacked services on the Internet. These Microsoft services are a vector for worms and viruses, and they potentially expose your network and data. | Eliminate rules which allow access to this port to Private IPs. |
| O05-NI-SG | Medium | AlgoSec O05-NI-SG | FTP can exit your network to Private IPs | Letting FTP (File Transfer Protocol) exit your network is risky as it is not encrypted. It is only authenticated by simple passwords, that are transmitted in the clear. Serious vulnerabilities have been found in many versions of FTP server software. You may have many FTP servers on your internal networks and it is difficult to ensure that they are all properly hardened. A compromised or infected machine could access or damage the data on these servers. | Eliminate rules which allow access to this port to Private IPs. For file upload- use secure alternatives such as SFTP. |
| O06-NI-SG | Low | AlgoSec O06-NI-SG | SMTP can exit your network to more than 256 Private IPs | Allowing outbound SMTP access on TCP port 25/465/587 from many internal machines is risky. Outbound SMTP (E-mail) should only originate from your public mail servers. E-mail is a vector for many viruses and worms. Computers that can send E-mail directly (not through your organization's designated mail servers) can bypass your network's E-mail filters, and spread viruses and worms to other networks. Therefore, outbound SMTP access should be limited to your properly hardened public mail servers. | Restrict the rules to refer to only the destination IPs you really use, and limit the number of public IP addresses that can be reached on this port. |
| I01-NI-SG | Medium | AlgoSec I01-NI-SG | "Any" service can enter your network from Private IPs | Allowing the "Any" service to enter your network is extremely risky since the "Any" service includes many vulnerable services. This is risky even if the traffic is only allowed from business partners or through VPNs. | Review all the rules that allow inbound traffic with "Any" service, and limit them to those services you actually require. |
| I02-NI-SG | Medium | AlgoSec I02-NI-SG | TCP on all ports can enter your network from Private IPs | Allowing TCP on all ports to enter your network is extremely riskysince this includes many vulnerable services. This is risky even if the traffic is only allowed from business partners or through VPNs: a remote laptop connecting through a VPN could easily infect your network with a worm or virus. | Review all the rules that allow inbound traffic with TCP on all ports, and limit them to those services you actually require. |
| I03-NI-SG | Medium | AlgoSec I03-NI-SG | UDP on all ports can enter your network from Private IPs | Allowing UDP on all ports to enter your network is extremely risky since this includes many vulnerable services. This is risky even if the traffic is only allowed from business partners or through VPNs: a remote laptop connecting through a VPN could easily infect your network with a worm or virus. | Review all the rules that allow inbound traffic with UDP on all ports, and limit them to those services you actually require. |
| I04-NI-SG | Medium | AlgoSec I04-NI-SG | LDAP Port TCP/389, UDP/389 open from Private IPs | Your cloud LDAP server is accessible using the LDAP port (UDP/389, TCP/389). LDAP (Lightweight Directory Access Protocol) is a directory service for controling access to network capable devices. Allowing access to these ports is risky. | Eliminate rules which allow access to this port from private IPs. |
| I05-NI-SG | Medium | AlgoSec I05-NI-SG | Port 3020 can enter your network from Private IPs | Your cloud estate is accessible using file sharing Protocol CIFS over port 3020. Allowing file sharing accesson this port is risky. | Eliminate rules which allow access to this port from private IPs. |
| I06-NI-SG | Medium | AlgoSec I06-NI-SG | Database port TCP/9000 can enter your network from Private IPs | Your cloud Hadoop database is accessible using administrative port TCP/9000. Hadoop is a framework for distributed data processing that allows access to the data and may act as database. Opening Hadoop port is risky | Eliminate rules which allow access to this port private IPs. |
| I07-NI-SG | Medium | AlgoSec I07-NI-SG | Administrative port TCP/1434 can enter your network from Private IPs | Your cloud database managment system is accessible using the MSSQL administrative port TCP/1434. MSSQL is a Microsoft SQL server database managment system. Databases are the elements of Electronic Business, Financial, Banking, and Enterprise Resource Planning (ERP) system, and include critical information from partners, customers, and employees. Databases are extremely complex application and are, often times, difficult to correctly configure and secure. As a result serious security vulnerabilities and mis-configurations frequently go unchecked or completely undetected. For this reason, allowing direct inbound access to your corporate databases is risky. | Eliminate rules which allow access to this port private IPs. |
| I08-NI-SG | Medium | AlgoSec I08-NI-SG | MSSQL(UDP/1434) can enter your network from Private IPs | Your cloud database managment system is accessible using the MSSQL port UDP/1434. MSSQL is a Microsoft SQL server database managment system. Databases are the elements of Electronic Business, Financial, Banking, and Enterprise Resource Planning (ERP) system, and include critical information from partners, customers, and employees. Databases are extremely complex application and are, often times, difficult to correctly configure and secure. As a result serious security vulnerabilities and mis-configurations frequently go unchecked or completely undetected. For this reason, allowing direct inbound access to your corporate databases is risky. | Eliminate rules which allow access to this port from private IPs. |
| I09-NI-SG | Medium | AlgoSec I09-NI-SG | Database port TCP/27017-27019 can enter your network from Private IPs | Your cloud database managment system is accessible using the Mongo Web Portal port with TCP/27018. Mongo Web Portal is a "mongodb" named protocol that allows access to MongoDB API. Databases are the elements of Electronic Business, Financial, Banking, and Enterprise Resource Planning (ERP) system, and include critical information from partners, customers, and employees. Databases are extremely complex application and are, often times, difficult to correctly configure and secure. As a result serious security vulnerabilities and mis-configurations frequently go unchecked or completely undetected. For this reason, allowing direct inbound access to your corporate databases is risky. | Eliminate rules which allow access to this port private IPs. |
| I10-NI-SG | Medium | AlgoSec I10-NI-SG | Database port TCP/3306 can enter your network from Private IPs | Your cloud database managment system is accessible using the MySQL debug port TCP/3306. MySQL is a database managment system (RDBMS). Databases are the elements of Electronic Business, Financial, Banking, and Enterprise Resource Planning (ERP) system, and include critical information from partners, customers, and employees. Databases are extremely complex application and are, often times, difficult to correctly configure and secure. As a result serious security vulnerabilities and mis-configurations frequently go unchecked or completely undetected. For this reason, allowing direct inbound access to your corporate databases is risky. | Eliminate rules which allow access to this port private IPs. |
| I11-NI-SG | Medium | AlgoSec I11-NI-SG | Administrative port UDP/161 can enter your network from Private IPs | Your cloud estate is accessible using the SNMP service (UDP/161). SNMP (Simple Network Management Protocol) is a protocol used to manage networking and edge devices. Allowing SNMP port UDP/161 is risky. | Eliminate rules which allow access to this port from private IPs. |
| I12-NI-SG | Medium | AlgoSec I12-NI-SG | Telnet can enter your network from Private IPs | Telnet is a remote-login service that is not encrypted. It is only authenticated by simple passwords, that are transmitted in the clear. | Eliminate rules which allow access to this port from private IPs. |
| I13-NI-SG | Medium | AlgoSec I13-NI-SG | Risky Microsoft services can enter your network from Private IPs | Allowing Microsoft's NetBIOS services (UDP/137, UDP/138, TCP/135, TCP/139, TCP/445, TCP/593) to cross into your network is extremely risky. These services provide file and printer sharing for Microsoft Windows machines, and are among the most attacked services on the Internet. These Microsoft services are a vector for worms and viruses, and they potentially expose your network and data. | Eliminate rules which allow access to this port from private IPs. |
| I14-NI-SG | Medium | AlgoSec I14-NI-SG | Database port TCP/1433 can enter your network from Private IPs | Your cloud database managment system is accessible using the MSSQL port TCP/1433. MSSQL is a Microsoft SQL server database managment system. Databases are the elements of Electronic Business, Financial, Banking, and Enterprise Resource Planning (ERP) system, and include critical information from partners, customers, and employees. Databases are extremely complex application and are, often times, difficult to correctly configure and secure. As a result serious security vulnerabilities and mis-configurations frequently go unchecked or completely undetected. For this reason, allowing direct inbound access to your corporate databases is risky. | Eliminate rules which allow access to this port from private IPs. |
| I15-NI-SG | Medium | AlgoSec I15-NI-SG | Database port TCP/5432 can enter your network from Private IPs | Allowing inbound access using database-access protocol PostgreSQL (TCP/5432) may expose your most critical databases to attack. Databases are the elements of Electronic Business, Financial, Banking, and Enterprise Resource Planning (ERP) system, and include critical information from partners, customers, and employees. Databases are extremely complex application and are, often times, difficult to correctly configure and secure. As a result serious security vulnerabilities and mis-configurations frequently go unchecked or completely undetected. For this reason, allowing direct inbound access to your corporate databases is risky. | Eliminate rules which allow access to this port from private IPs. |
| I16-NI-SG | Medium | AlgoSec I16-NI-SG | Database port TCP/523 can enter your network from Private IPs | Allowing inbound access using database-access protocol IBM DB2 (TCP/523) may expose your most critical databases to attack. Databases are the elements of Electronic Business, Financial, Banking, and Enterprise Resource Planning (ERP) system, and include critical information from partners, customers, and employees. Databases are extremely complex application and are, often times, difficult to correctly configure and secure. As a result serious security vulnerabilities and mis-configurations frequently go unchecked or completely undetected. For this reason, allowing direct inbound access to your corporate databases is risky. | Eliminate rules which allow access to this port from private IPs. |
| I17-NI-SG | Medium | AlgoSec I17-NI-SG | Database port TCP/1521 can enter your network from Private IPs | Allowing inbound access using database-access protocol Oracle's sqlnet (TCP/1521) may expose your most critical databases to attack. Databases are the elements of Electronic Business, Financial, Banking, and Enterprise Resource Planning (ERP) system, and include critical information from partners, customers, and employees. Databases are extremely complex application and are, often times, difficult to correctly configure and secure. As a result serious security vulnerabilities and mis-configurations frequently go unchecked or completely undetected. For this reason, allowing direct inbound access to your corporate databases is risky. | Eliminate rules which allow access to this port from the Internet. |
| I18-NI-SG | Low | AlgoSec I18-NI-SG | RPC can enter your network from Private IPs | The Sunrpc service(TCP/UDP port 111) is used by the Unix "portmapper" daemon to support services like NFS. Allowing such traffic in could expose your data if you have Unix file servers. | Eliminate rules which allow access to this port from private IPs. |
| I19-NI-SG | Medium | AlgoSec I19-NI-SG | FTP can enter your network from Private IPs | Letting FTP (File Transfer Protocol) reach internal servers is risky as it is not encrypted. It is only authenticated by simple passwords, that are transmitted in the clear. Serious vulnerabilities have been found in many versions of FTP server software. You may have many FTP servers on your internal networks and it is difficult to ensure that they are all properly hardened. A compromised or infected machine could access or damage the data on these servers. | Eliminate rules which allow access to this port from private IPs. For file upload- use secure alternatives such as SFTP. |
| I20-NI-SG | Low | AlgoSec I20-NI-SG | Version control services can enter your network from Private IPs | Allowing inbound access to Unix version control systems like CVS (TCP/2401) or Subversion (TCP/3690) may be risky if you use these systems. Version control systems provide tools to manage different versions of documents or source code and facilitate multiple users to concurrently work on the same set of files. These systems have serious known vulnerabilities. | If you use either the CVS or the Subversion version control systems, eliminate rules which allow access to this port from private IPs. |
| I21-NI-SG | Medium | AlgoSec I21-NI-SG | Administrative port 22 (ssh) can enter your network from more than 256 Private IPs | Allowing access from more than 256 Private IP addresses using the SSH service (TCP/22) is risky. SSH is a remote-login service that allows command-line access to Linux/Unix-based servers and is generally used for server administration. Allowing administrative access from too many public IP addresses is risky. | Restrict the rules to refer to only the source IPs you really use, and limit the number of public IP addresses that have this administrative access. |
| I22-NI-SG | Medium | AlgoSec I22-NI-SG | Administrative port 3389(RDP) can enter your network from more than 256 Private IPs | Allowing access from from more than 256 Private IP addresses using the Microsoft RDP protocol over port 3389 is risky. RDP stands for Remote-Desktop and is a Windows service that allows remote-login to windows machines. RDP is used for Windows-based server administration. Allowing administrative access from too many public IP addresses is risky. | Restrict the rules to refer to only the source IPs you really use, and limit the number of public IP addresses that have this administrative access. |
The Center for Internet Security (CIS) is a nonprofit that publishes a benchmark — a set of security configuration best practices for AWS.
To read more about CIS AWS Foundations Benchmark, please visit CIS AWS home page .
CIS AWS v1.5.0 requirements (47)
| Requirement | Title | Description | |
|---|---|---|---|
| CIS_AWS_IAM_ROOT_MFA | CIS 1.5 | 1.5 Ensure MFA is enabled for the 'root' user account | The 'root' user account is the most privileged user in an AWS account. Multi-factor Authentication (MFA) adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their username and password as well as for an authentication code from their AWS MFA device. |
| CIS_AWS_IAM_ROOT_IN_USE | CIS 1.7 | 1.7 Eliminate use of the 'root' user for administrative and daily tasks | With the creation of an AWS account, a 'root user' is created that cannot be disabled or deleted. That user has unrestricted access to and control over all resources in the AWS account. It is highly recommended that the use of this account be avoided for everyday tasks. |
| CIS_AWS_PASS_LENGTH | CIS 1.8 | 1.8 Ensure IAM password policy requires minimum length of 14 or greater | Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length. It is recommended that the password policy require a minimum password length 14. |
| CIS_AWS_PASS_NOREUSE | CIS 1.9 | 1.9 Ensure IAM password policy prevents password reuse | IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords. |
| CIS_AWS_IAM_MFA | CIS 1.10 | 1.10 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password | With MFA enabled, when a user signs in to the AWS Console, they will be prompted for their user name and password as well as for an authentication code from their physical or virtual MFA token. It is recommended that MFA be enabled for all accounts that have a console password. |
| CIS_AWS_IAM_BOTH | CIS 1.11 | 1.11 Do not setup access keys during initial user setup for all IAM users that have a console password | AWS console defaults to no check boxes selected when creating a new IAM user. When creating the IAM User credentials you have to determine what type of access they require. Programmatic access: The IAM user might need to make API calls, use the AWS CLI, or use the Tools for Windows PowerShell. In that case, create an access key (access key ID and a secret access key) for that user. AWS Management Console access: If the user needs to access the AWS Management Console, create a password for the user. |
| CIS_AWS_IAM_CREDS_UNUSED | CIS 1.12 | 1.12 Ensure credentials unused for 45 days or greater are disabled | AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused in 45 or greater days be deactivated or removed. |
| CIS_AWS_ACCESS_KEYS_ROTATED | CIS 1.14 | 1.14 Ensure access keys are rotated every 90 days or less | Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated. |
| CIS_AWS_IAM_NO_SUPPORT_ACCESS_POLICY | CIS 1.17 | 1.17 Ensure a support role has been created to manage incidents with AWS Support | AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support. |
| CIS_AWS_IAM_CERT_EXPIRY | CIS 1.19 | 1.19 Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed | To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates. Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console. |
| CIS_AWS_S3_ENCR | CIS 2.1.1 | 2.1.1 Ensure all S3 buckets employ encryption-at-rest | Amazon S3 provides a variety of no, or low, cost encryption options to protect data at rest. |
| CIS_AWS_S3_SSL | CIS 2.1.2 | 2.1.2 Ensure S3 Bucket Policy is set to deny HTTP requests | At the Amazon S3 bucket level, you can configure permissions through a bucket policy making the objects accessible only through HTTPS. |
| CIS_AWS_S3_MFADELETE | CIS 2.1.3 | 2.1.3 Ensure MFA Delete is enabled on S3 buckets | Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication. |
| CIS_AWS_S3_BLOCKPUBLIC | CIS 2.1.5 | 2.1.5 Ensure that S3 Buckets are configured with 'Block public access (bucket settings)' | Amazon S3 provides Block public access (bucket settings) and Block public access (account settings) to help you manage public access to Amazon S3 resources. By default, S3 buckets and objects are created with public access disabled. However, an IAM principal with sufficient S3 permissions can enable public access at the bucket and/or object level. While enabled, Block public access (bucket settings) prevents an individual bucket, and its contained objects, from becoming publicly accessible. Similarly, Block public access (account settings) prevents all buckets, and contained objects, from becoming publicly accessible across the entire account. |
| CIS_AWS_VOL_NO_ENCR | CIS 2.2.1 | 2.2.1 Ensure EBS Volume Encryption is Enabled in all Regions | Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported. |
| CIS_AWS_RDS_NO_ENCR | CIS 2.3.1 | 2.3.1 Ensure that encryption is enabled for RDS Instances | Amazon RDS encrypted DB instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance. |
| CIS_AWS_RDS_NO_AUTO_UPGRADE | CIS 2.3.2 | 2.3.2 Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances | Ensure that RDS database instances have the Auto Minor Version Upgrade flag enabled in order to receive automatically minor engine upgrades during the specified maintenance window. So, RDS instances can get the new features, bug fixes, and security patches for their database engines. |
| CIS_AWS_RDS_IS_PUBLIC | CIS 2.3.3 | 2.3.3 Ensure that public access is not given to RDS Instance | Ensure and verify that RDS database instances provisioned in your AWS account do restrict unauthorized access in order to minimize security risks. To restrict access to any publicly accessible RDS database instance, you must disable the database Publicly Accessible flag and update the VPC security group associated with the instance. |
| CIS_AWS_EFS_NO_ENCR | CIS 2.4.1 | 2.4.1 Ensure that encryption is enabled for EFS file systems | EFS data should be encrypted at rest using AWS KMS (Key Management Service). |
| CIS_AWS_CLOUDTRAIL_ALLREGIONS | CIS 3.1 | 3.1 Ensure CloudTrail is enabled in all regions | AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation). |
| CIS_AWS_CLOUDTRAIL_NO_LOG_VALID | CIS 3.2 | 3.2 Ensure CloudTrail log file validation is enabled | CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. It is recommended that file validation be enabled on all CloudTrails. |
| CIS_AWS_CLOUDTRAIL_BUCKET_PUBLIC_ACCESS | CIS 3.3 | 3.3 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible | CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3 bucket that CloudTrail logs to prevent public access to the CloudTrail logs. |
| CIS_AWS_CLOUDTRAIL_NO_CLOUDWATCH_LOG | CIS 3.4 | 3.4 Ensure CloudTrail trails are integrated with CloudWatch Logs | The intent of this recommendation is to ensure AWS account activity is being captured, monitored, and appropriately alarmed on. CloudWatch Logs is a native way to accomplish this using AWS services but does not preclude the use of an alternate solution. |
| CIS_AWS_CONFIG_DISABLED | CIS 3.5 | 3.5 Ensure AWS Config is enabled in all regions | AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. It is recommended AWS Config be enabled in all regions. |
| CIS_AWS_CLOUDTRAIL_NO_BUCKET_LOGGING | CIS 3.6 | 3.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket | S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket. |
| CIS_AWS_CLOUDTRAIL_ENCR | CIS 3.7 | 3.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs | CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS. |
| CIS_AWS_CMK_ROTATION | CIS 3.8 | 3.8 Ensure rotation for customer created symmetric CMKs is enabled | AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled for symmetric keys. Key rotation can not be enabled for any asymmetric CMK. |
| CIS_AWS_VPC_FLOWLOG | CIS 3.9 | 3.9 Ensure VPC flow logging is enabled in all VPCs | VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet 'Rejects' for VPCs. |
| CIS_AWS_UNAUTH_API | CIS 4.1 | 4.1 Ensure a log metric filter and alarm exist for unauthorized API calls | Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for unauthorized API calls. |
| CIS_AWS_CONSOLE_NO_MFA | CIS 4.2 | 4.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA | It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA). |
| CIS_AWS_ROOT_USAGE | CIS 4.3 | 4.3 Ensure a log metric filter and alarm exist for usage of 'root' account | It is recommended that a metric filter and alarm be established for 'root' login attempts. |
| CIS_AWS_IAM_POL_CHANGES | CIS 4.4 | 4.4 Ensure a log metric filter and alarm exist for IAM policy changes | It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies. |
| CIS_AWS_CLOUDTRAIL_CONF_CHANGES | CIS 4.5 | 4.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes | It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations. |
| CIS_AWS_CONSOLE_AUTH_FAILURES | CIS 4.6 | 4.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures | It is recommended that a metric filter and alarm be established for failed console authentication attempts. |
| CIS_AWS_CMK_DELETION | CIS 4.7 | 4.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs | It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion. |
| CIS_AWS_S3_POL_CHANGES | CIS 4.8 | 4.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes | It is recommended that a metric filter and alarm be established for changes to S3 bucket policies. |
| CIS_AWS_CONFIG_CHANGES | CIS 4.9 | 4.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes | It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations. |
| CIS_AWS_SG_CHANGES | CIS 4.10 | 4.10 Ensure a log metric filter and alarm exist for security group changes | Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC. It is recommended that a metric filter and alarm be established for detecting changes to Security Groups. |
| CIS_AWS_NET_ACL_CHANGES | CIS 4.11 | 4.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) | NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC. It is recommended that a metric filter and alarm be established for changes made to NACLs. |
| CIS_AWS_NET_GW_CHANGES | CIS 4.12 | 4.12 Ensure a log metric filter and alarm exist for changes to network gateways | Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways. |
| CIS_AWS_ROUTE_CHANGES | CIS 4.13 | 4.13 Ensure a log metric filter and alarm exist for route table changes | Routing tables are used to route network traffic between subnets and to network gateways. It is recommended that a metric filter and alarm be established for changes to route tables. |
| CIS_AWS_VPC_CHANGES | CIS 4.14 | 4.14 Ensure a log metric filter and alarm exist for VPC changes | It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs. |
| CIS_AWS_SECHUB_DISABLED | CIS 4.16 | 4.16 Ensure AWS Security Hub is enabled | Security Hub collects security data from across AWS accounts, services, and supported third-party partner products and helps you analyze your security trends and identify the highest priority security issues. When you enable Security Hub, it begins to consume, aggregate, organize, and prioritize findings from AWS services that you have enabled, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie. You can also enable integrations with AWS partner security products. |
| CIS_AWS_ACL_ANY | CIS 5.1 | 5.1 Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports | The Network Access Control List (NACL) function provide stateless filtering of ingress and egress network traffic to AWS resources. It is recommended that no NACL allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389. |
| CIS_AWS_SG_ANY_IP4 | CIS 5.2 | 5.2 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports | Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389. |
| CIS_AWS_SG_ANY_IP6 | CIS 5.3 | 5.3 Ensure no security groups allow ingress from ::/0 to remote server administration ports | It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389. |
| CIS_AWS_SG_DEFAULT | CIS 5.4 | 5.4 Ensure the default security group of every VPC restricts all traffic | The default VPC in every region should have its default security group updated to comply. Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation. |
The Payment Card Industry Data Security Standard (PCI DSS) is a global standard that provides a baseline of technical and operational requirements designed to protect account data.
To read more about PCI DSS Requirements, please visit PCI home page .
PCI DSS v4.0 requirements (12)
| Requirement | Title | Description | |
|---|---|---|---|
| PCI_ENCR_AT_REST | PCI DSS 3.5 | 3.5 Primary account number (PAN) is secured wherever it is stored. | If an intruder circumvents other security controls and gains access to encrypted account data, the data is unreadable without the proper cryptographic keys and is unusable to that intruder. This requirement applies to PANs stored in primary storage (databases, or flat files such as text files spreadsheets) as well as non-primary storage (backup, audit logs, exception, or troubleshooting logs) must all be protected. |
| PCI_PASS_ROTATE | PCI DSS 3.7.4 | 3.7.4 Key management policies and procedures are implemented for cryptographic key changes for keys that have reached the end of their cryptoperiod. | Changing encryption keys when they reach the end of their cryptoperiod is imperative to minimize the risk of someone obtaining the encryption keys and using them to decrypt data. |
| PCI_ENCR_IN_TRANSIT | PCI DSS 4.2 | 4.2 Primary account number (PAN) is protected with strong cryptography during transmission. | Sensitive information must be encrypted during transmission over public networks because it is easy and common for a malicious individual to intercept and/or divert data while in transit. It is considered a good practice for entities to also encrypt PAN over their internal networks, and for entities to establish any new network implementations with encrypted communications. |
| PCI_CERT_EXPIRY | PCI DSS 4.2.1 | 4.2.1 Certificates used to safeguard primary account number (PAN) during transmission over open, public networks are confirmed as valid and are not expired or revoked. | Confirming that certificates used to safeguard PAN during transmission over open, public networks are valid and are not expired or revoked is a best practice until 31 March 2025, after which it will be required as part of Requirement 4.2.1 and must be fully considered during a PCI DSS assessment. |
| PCI_INACTIVE_ACCOUNT | PCI DSS 8.2.6 | 8.2.6 Inactive user accounts are removed or disabled within 90 days of inactivity. | Examine user accounts and last logon information, and interview personnel to verify that any inactive user accounts are removed or disabled within 90 days of inactivity. |
| PCI_PASS_COMPLEX | PCI DSS 8.3.6 | 8.3.6 Passwords/passphrases used as authentication factors must meet the following minimum level of complexity: a minimum length of 12 characters (if the system does not support 12 characters, a minimum length of eight characters), and contain both numeric and alphabetic characters. | Examine system configuration settings to verify that user password/passphrase complexity parameters are set in accordance with all elements specified in this requirement. |
| PCI_PASS_CHANGE | PCI DSS 8.3.9 | 8.3.9 If passwords/passphrases are used as the only authentication factor for user access, then passwords/passphrases are changed at least once every 90 days. | If passwords/passphrases are used as the only authentication factor for user access, inspect system configuration settings to verify that passwords/passphrases are managed in accordance with the specified requirement. |
| PCI_PASS_NOREUSE | PCI DSS 8.3.7 | 8.3.7 Individuals are not allowed to submit a new password/passphrase that is the same as any of the last four passwords/passphrases used. | Examine system configuration settings to verify that password parameters are set to require that new passwords/passphrases cannot be the same as the four previously used passwords/passphrases. |
| PCI_MFA | PCI DSS 8.4 | 8.4 Multi-factor authentication (MFA) is implemented to secure access into the cardholder data environment (CDE). | Examine network and/or system configurations to verify MFA is implemented for all access into the CDE. |
| PCI_AUDIT_LOGS | PCI DSS 10.2 | 10.2 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. | Audit logs must exist for all system components. Audit logs send alerts the system administrator, provides data to other monitoring mechanisms, such as intrusion-detection systems (IDS) and security information and event monitoring systems (SIEM) tools, and provide a history trail for post-incident investigation. Logging and analyzing security-relevant events enable an organization to identify and trace potentially malicious activities. |
| PCI_NET_SEGMENT | PCI DSS (Networking) | Guidance for PCI DSS Scoping and Network Segmentation. | Segmentation (or isolation) of the cardholder data environment (CDE) from the remainder of an entity's network is strongly recommended as a method that may reduce the risk to an organization relative to payment card account data. |
| PCI_NO_TLS1 | PCI DSS (Old Protocols) | Guidance on PCI DSS Requirement 4.2: SSL and TLS 1.0 are not permitted. | Some protocol implementations (such as SSL, SSH v1.0, and TLS 1.0) have known vulnerabilities that an attacker can use to gain access to the cleartext data. It is critical that entities maintain awareness of industry-defined deprecation dates for the cipher suites they are using and are prepared to migrate to newer versions or protocols when older ones are no longer deemed secure. |
The HIPAA Security Rule ensures patients and their Protected Health Information (ePHI) are protected, as well as healthcare facilities and health insurance providers.
To read more about HIPAA security rule, please visit HIPAA home page .
HIPAA requirements (4)
| Requirement | Title | Description | |
|---|---|---|---|
| HIPAA_ENCRYPT | HIPAA (Encryption) | Access Control (§ 164.312(a)(1)(iv)) — Encryption of Data In Transit or At Rest | HIPAA Security Rule requires encryption of electronic Protected Health Information (ePHI) of patients when the data is in transit or at rest. 'At rest' includes the cloud storage service where ePHI has been saved (storage bucket, database, file system) and in transit relates to any electronic communication of that information. The security of ePHI in transit or at rest should be established by the use of data encryption. ePHI should be rendered 'unreadable, undecipherable or unusable' so any 'acquired' healthcare or payment information is of no use to an unauthorized third party. |
| HIPAA_NETWORK | HIPAA (Networking) | Access Control (§ 164.312(a)(1)) — Network Segmentation | Firewalls, network segmentation, and network access control solutions can be effective means of limiting access to electronic information systems containing electronic Protected Health Information (ePHI). Properly implemented, network-based solutions can limit the ability of a hacker to gain access to an organization's network or impede the ability of a hacker already in the network from accessing other information systems — especially systems containing sensitive data. By building and implementing a network segmentation strategy, networks can be broken down into multiple segments and made safer against potential breaches by dangerous cybercriminals and hackers. |
| HIPAA_AUDIT | HIPAA (Audit) | Audit Controls (§ 164.312(b)) | Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic Protected Health Information (ePHI). Audit logs and trails assist companies with reducing risk associated with reviewing inappropriate access, tracking unauthorized disclosures of ePHI, detecting performance problems and flaws in applications, detecting potential intrusions and other malicious activity, and providing forensic evidence during investigation of security incidents and breaches. |
| HIPAA_BACKUP | HIPAA (Backup) | Contingency Plan 164.308(a)(7) — Data Backup Plan | A contingency plan is the only way to protect the availability, integrity, and security of data during unexpected negative events. Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. The data backup plan should define exactly what information is needed to be retrievable to allow the entity to continue business 'as usual' in the face of damage or destruction of data, hardware, or software. |