💼 SC-7(4) External Telecommunications Services (M)(H)

• ID: /frameworks/fedramp-moderate-security-controls/sc/07/04

Description

(a) Implement a managed interface for each external telecommunication service;

(b) Establish a traffic flow policy for each managed interface;

(c) Protect the confidentiality and integrity of the information being transmitted across each interface;

(d) Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need;

(e) Review exceptions to the traffic flow policy [FedRAMP Assignment: at least every one hundred and eighty (180) days or whenever there is a change in the threat environment that warrants a review of the exceptions] and remove exceptions that are no longer supported by an explicit mission or business need;

(f) Prevent unauthorized exchange of control plane traffic with external networks;

(g) Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and

(h) Filter unauthorized control plane traffic from external networks.

Similar

• Sections
  • /frameworks/fedramp-high-security-controls/sc/07/04
• Internal
  • ID: dec-c-daae8c98

Similar Sections (Take Policies From)

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 FedRAMP High Security Controls → 💼 SC-7(4) External Telecommunications Services (M)(H)			28		no data

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance

Policies (28)

Policy	Logic Count	Flags	Compliance
🛡️ AWS API Gateway REST API Stage is not configured to use an SSL certificate for authentication🟢	1	🟢 x6	no data
🛡️ AWS CloudFront Web Distribution Cache Behaviors allow unencrypted traffic🟢	1	🟢 x6	no data
🛡️ AWS CloudFront Web Distribution uses default SSL/TLS certificate🟢	1	🟢 x6	no data
🛡️ AWS CloudFront Web Distribution uses Dedicated IP for SSL🟢	1	🟢 x6	no data
🛡️ AWS CloudFront Web Distribution uses outdated SSL protocols with Custom Origins🟢	1	🟢 x6	no data
🛡️ AWS DMS Endpoint doesn't use SSL🟢	1	🟢 x6	no data
🛡️ AWS DMS Replication Instance is publicly accessible🟢	1	🟢 x6	no data
🛡️ AWS EBS Snapshot is publicly accessible🟢	1	🟢 x6	no data
🛡️ AWS EC2 Auto Scaling Group behind ELB assigns public IP to instances🟢	1	🟢 x6	no data
🛡️ AWS EC2 Default Security Group does not restrict all traffic🟢	1	🟢 x6	no data
🛡️ AWS EC2 Instance with an auto-assigned public IP address is in a default subnet🟢	1	🟢 x6	no data
🛡️ AWS EC2 Security Group allows public IPv4 (0.0.0.0/0) access to admin ports🟢	1	🟢 x6	no data
🛡️ AWS EC2 Security Group allows public IPv6 (::/0) access to admin ports🟢	1	🟢 x6	no data
🛡️ AWS EC2 Security Group allows unrestricted CIFS traffic🟢	1	🟢 x6	no data
🛡️ AWS EC2 Security Group allows unrestricted FTP traffic🟢	1	🟢 x6	no data
🛡️ AWS EC2 Security Group allows unrestricted RPC traffic🟢	1	🟢 x6	no data
🛡️ AWS EC2 Security Group allows unrestricted SMTP traffic🟢	1	🟢 x6	no data
🛡️ AWS EC2 Security Group allows unrestricted traffic to MSSQL🟢	1	🟢 x6	no data
🛡️ AWS EC2 Security Group allows unrestricted traffic to MySQL🟢	1	🟢 x6	no data
🛡️ AWS EC2 Security Group allows unrestricted traffic to PostgreSQL🟢	1	🟢 x6	no data
🛡️ AWS EC2 Security Group allows unrestricted Telnet traffic🟢	1	🟢 x6	no data
🛡️ AWS RDS Instance is publicly accessible and in an unrestricted public subnet🟢	1	🟢 x6	no data
🛡️ AWS RDS Instance uses default endpoint port🟢	1	🟢 x6	no data
🛡️ AWS RDS Snapshot is publicly accessible🟢	1	🟢 x6	no data
🛡️ AWS S3 Bucket is not configured to block public access🟢	1	🟢 x6	no data
🛡️ AWS S3 Bucket Policy is not set to deny HTTP requests🟢	1	🟢 x6	no data
🛡️ AWS VPC is not configured with a VPC Endpoint for Amazon EC2 service🟢	1	🟢 x6	no data
🛡️ AWS VPC Subnet Map Public IP On Launch is enabled🟢	1	🟢 x6	no data