💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage

• Contextual name: 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage
• ID: /frameworks/nist-csf-v2.0/pr-ir/01
• Located in: 💼 Technology Infrastructure Resilience (PR.IR)

Description

1. Logically segment organization networks and cloud-based platforms according to trust boundaries and platform types (e.g., IT, IoT, OT, mobile, guests), and permit required communications only between segments
2. Logically segment organization networks from external networks, and permit only necessary communications to enter the organization's networks from the external networks
3. Implement zero trust architectures to restrict network access to each resource to the minimum necessary
4. Check the cyber health of endpoints before allowing them to access and use production resources

Similar

• Sections
  • /frameworks/nist-csf-v1.1/pr-ac/03
  • /frameworks/nist-csf-v1.1/pr-ac/05
  • /frameworks/nist-csf-v1.1/pr-ds/07
  • /frameworks/nist-csf-v1.1/pr-pt/04
  • /frameworks/nist-sp-800-53-r5/ac/03
  • /frameworks/nist-sp-800-53-r5/ac/04
  • /frameworks/nist-sp-800-53-r5/sc/04
  • /frameworks/nist-sp-800-53-r5/sc/05
  • /frameworks/nist-sp-800-53-r5/sc/07

Similar Sections (Take Policies From)

Section	Sub Sections	Internal Rules	Policies	Flags
💼 NIST CSF v1.1 → 💼 PR.AC-3: Remote access is managed			1
💼 NIST CSF v1.1 → 💼 PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation)		10	22
💼 NIST CSF v1.1 → 💼 PR.DS-7: The development and testing environment(s) are separate from the production environment			1
💼 NIST CSF v1.1 → 💼 PR.PT-4: Communications and control networks are protected		10	22
💼 NIST SP 800-53 Revision 5 → 💼 AC-3 Access Enforcement	15	5	37
💼 NIST SP 800-53 Revision 5 → 💼 AC-4 Information Flow Enforcement	32	68	89
💼 NIST SP 800-53 Revision 5 → 💼 SC-4 Information in Shared System Resources	2
💼 NIST SP 800-53 Revision 5 → 💼 SC-5 Denial-of-service Protection	3		5
💼 NIST SP 800-53 Revision 5 → 💼 SC-7 Boundary Protection	29	4	50

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Flags

Policies (69)

Policy	Logic Count	Flags
📝 AWS Account Object-level CloudTrail Logging for Read Events for S3 Buckets is not enabled 🟢	1	🟢 x6
📝 AWS Account Object-level CloudTrail Logging for Write Events for S3 Buckets is not enabled 🟢	1	🟢 x6
📝 AWS API Gateway API Route Authorization Type is not configured 🟢	1	🟢 x6
📝 AWS API Gateway REST API Stage is not configured to use an SSL certificate for authentication 🟢	1	🟢 x6
📝 AWS CloudFront Web Distribution Cache Behaviors allow unencrypted traffic 🟢	1	🟢 x6
📝 AWS CloudFront Web Distribution does not encrypt traffic to Custom Origins 🟢	1	🟢 x6
📝 AWS CloudFront Web Distribution Default Root Object is not configured 🟢	1	🟢 x6
📝 AWS CloudFront Web Distribution uses default SSL/TLS certificate 🟢	1	🟢 x6
📝 AWS CloudFront Web Distribution uses Dedicated IP for SSL 🟢	1	🟢 x6
📝 AWS CloudFront Web Distribution uses outdated SSL protocols with Custom Origins 🟢	1	🟢 x6
📝 AWS DMS Endpoint doesn't use SSL 🟢	1	🟢 x6
📝 AWS DMS Replication Instance is publicly accessible 🟢	1	🟢 x6
📝 AWS EBS Snapshot is publicly accessible 🟢	1	🟢 x6
📝 AWS EC2 Auto Scaling Group behind ELB assigns public IP to instances 🟢	1	🟢 x6
📝 AWS EC2 Auto Scaling Group Launch Template is not configured to require IMDSv2 🟢	1	🟢 x6
📝 AWS EC2 Default Security Group does not restrict all traffic 🟢	1	🟢 x6
📝 AWS EC2 Instance IMDSv2 is not enabled 🟢	1	🟢 x6
📝 AWS EC2 Instance with an auto-assigned public IP address is in a default subnet 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows public IPv4 (0.0.0.0/0) access to admin ports 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows public IPv6 (::/0) access to admin ports 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted CIFS traffic 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted FTP traffic 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted RPC traffic 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted SMTP traffic 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted traffic to MongoDB 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted traffic to MSSQL 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted traffic to MySQL 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted traffic to Oracle DBMS 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted traffic to PostgreSQL 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted Telnet traffic 🟢	1	🟢 x6
📝 AWS IAM Policy allows full administrative privileges 🟢	1	🟢 x6
📝 AWS IAM User has inline or directly attached policies 🟢	1	🟠 x1, 🟢 x5
📝 AWS IAM User with credentials unused for 45 days or more is not disabled 🟢	1	🟢 x6
📝 AWS RDS Instance is publicly accessible and in an unrestricted public subnet 🟢	1	🟢 x6
📝 AWS RDS Instance uses default endpoint port 🟢	1	🟢 x6
📝 AWS RDS Snapshot is publicly accessible 🟢	1	🟢 x6
📝 AWS S3 Bucket is not configured to block public access 🟢	1	🟢 x6
📝 AWS S3 Bucket Object Lock is not enabled 🟠🟢	1	🟠 x1, 🟢 x6
📝 AWS S3 Bucket Policy is not set to deny HTTP requests 🟢	1	🟢 x6
📝 AWS S3 Bucket Versioning is not enabled 🟢	1	🟢 x6
📝 AWS VPC is not configured with a VPC Endpoint for Amazon EC2 service 🟢	1	🟢 x6
📝 AWS VPC Network ACL exposes admin ports to public internet ports 🟢	1	🟢 x6
📝 AWS VPC Subnet Map Public IP On Launch is enabled 🟢	1	🟢 x6
📝 Azure App Service Authentication is disabled and Basic Authentication is enabled 🟢	1	🟢 x6
📝 Azure App Service Basic Authentication is enabled 🟢		🟢 x3
📝 Azure App Service FTP deployments are not disabled 🟢	1	🟢 x6
📝 Azure App Service HTTPS Only configuration is not enabled 🟢	1	🟢 x6
📝 Azure MySQL Flexible Server require_secure_transport Parameter is not set to ON 🟢	1	🟢 x6
📝 Azure PostgreSQL Flexible Server require_secure_transport Parameter is not set to ON 🟢	1	🟢 x6
📝 Azure PostgreSQL Single Server Enforce SSL Connection is not set enabled 🟢	1	🟢 x6
📝 Azure PostgreSQL Single Server Infrastructure Double Encryption is not enabled 🟢	1	🟢 x6
📝 Azure Storage Account Cross Tenant Replication is enabled 🟢	1	🟢 x6
📝 Azure Storage Account Secure Transfer Required is not enabled 🟢	1	🟢 x6
📝 Azure Subscription Network Watcher is not enabled in every available region 🟢	1	🟢 x6
📝 Google BigQuery Dataset is anonymously or publicly accessible 🟢	1	🟢 x6
📝 Google Cloud MySQL Instance Skip_show_database Database Flag is not set to on 🟢	1	🟢 x6
📝 Google Cloud SQL Instance External Authorized Networks do not whitelist all public IP addresses 🟢	1	🟢 x6
📝 Google Cloud SQL Instance has public IP addresses 🟢	1	🟢 x6
📝 Google Cloud SQL Server Instance cross db ownership chaining Database Flag is not set to off 🟢	1	🟢 x6
📝 Google GCE Instance has a public IP address 🟢	1	🟢 x6
📝 Google GCE Instance IP Forwarding is not disabled. 🟢	1	🟢 x6
📝 Google GCE Network has Firewall Rules which allow unrestricted SSH access from the Internet 🟢	1	🟢 x6
📝 Google HTTPS or SSL Proxy Load Balancer permits SSL policies with weak cipher suites 🟢		🟢 x3
📝 Google IAM Users are assigned the Service Account User or Service Account Token Creator roles at Project level 🟢	1	🟢 x6
📝 Google KMS Crypto Key is anonymously or publicly accessible 🟠🟢		🟠 x1, 🟢 x3
📝 Google Logging Log Sink exports logs to a Storage Bucket without Bucket Lock 🟢	1	🟢 x6
📝 Google Storage Bucket is anonymously or publicly accessible 🟢	1	🟢 x6
📝 Google Storage Bucket Uniform Bucket-Level Access is not enabled 🟢	1	🟢 x6
📝 Google User has both Service Account Admin and Service Account User roles assigned 🟢	1	🟢 x6