💼 CA-9(1) Internal System Connections | Compliance Checks

ID: /frameworks/nist-sp-800-53-r5/ca/09/01

Description

Perform security and privacy compliance checks on constituent system components prior to the establishment of the internal connection.

Similar

Sections
- /frameworks/aws-fsbp-v1.0.0/api-gateway/05
- /frameworks/aws-fsbp-v1.0.0/auto-scaling/03
- /frameworks/aws-fsbp-v1.0.0/auto-scaling/09
- /frameworks/aws-fsbp-v1.0.0/cloudfront/08
- /frameworks/aws-fsbp-v1.0.0/cloudtrail/02
- /frameworks/aws-fsbp-v1.0.0/codebuild/03
- /frameworks/aws-fsbp-v1.0.0/documentdb/01
- /frameworks/aws-fsbp-v1.0.0/documentdb/05
- /frameworks/aws-fsbp-v1.0.0/dynamodb/03
- /frameworks/aws-fsbp-v1.0.0/dynamodb/06
- /frameworks/aws-fsbp-v1.0.0/ec2/03
- /frameworks/aws-fsbp-v1.0.0/ec2/04
- /frameworks/aws-fsbp-v1.0.0/ec2/07
- /frameworks/aws-fsbp-v1.0.0/ec2/19
- /frameworks/aws-fsbp-v1.0.0/ec2/21
- /frameworks/aws-fsbp-v1.0.0/ec2/23
- /frameworks/aws-fsbp-v1.0.0/ecr/02
- /frameworks/aws-fsbp-v1.0.0/ecr/03
- /frameworks/aws-fsbp-v1.0.0/ecs/03
- /frameworks/aws-fsbp-v1.0.0/ecs/08
- /frameworks/aws-fsbp-v1.0.0/efs/01
- /frameworks/aws-fsbp-v1.0.0/eks/02
- /frameworks/aws-fsbp-v1.0.0/elasticache/04
- /frameworks/aws-fsbp-v1.0.0/elb/06
- /frameworks/aws-fsbp-v1.0.0/elb/07
- /frameworks/aws-fsbp-v1.0.0/elb/12
- /frameworks/aws-fsbp-v1.0.0/elb/14
- /frameworks/aws-fsbp-v1.0.0/emr/03
- /frameworks/aws-fsbp-v1.0.0/es/01
- /frameworks/aws-fsbp-v1.0.0/fsx/01
- /frameworks/aws-fsbp-v1.0.0/kinesis/01
- /frameworks/aws-fsbp-v1.0.0/lambda/02
- /frameworks/aws-fsbp-v1.0.0/macie/01
- /frameworks/aws-fsbp-v1.0.0/macie/02
- /frameworks/aws-fsbp-v1.0.0/neptune/01
- /frameworks/aws-fsbp-v1.0.0/neptune/04
- /frameworks/aws-fsbp-v1.0.0/neptune/06
- /frameworks/aws-fsbp-v1.0.0/neptune/08
- /frameworks/aws-fsbp-v1.0.0/network-firewall/03
- /frameworks/aws-fsbp-v1.0.0/network-firewall/04
- /frameworks/aws-fsbp-v1.0.0/network-firewall/05
- /frameworks/aws-fsbp-v1.0.0/network-firewall/09
- /frameworks/aws-fsbp-v1.0.0/network-firewall/10
- /frameworks/aws-fsbp-v1.0.0/opensearch/01
- /frameworks/aws-fsbp-v1.0.0/pca/01
- /frameworks/aws-fsbp-v1.0.0/rds/03
- /frameworks/aws-fsbp-v1.0.0/rds/04
- /frameworks/aws-fsbp-v1.0.0/rds/16
- /frameworks/aws-fsbp-v1.0.0/rds/17
- /frameworks/aws-fsbp-v1.0.0/rds/24
- /frameworks/aws-fsbp-v1.0.0/rds/25
- /frameworks/aws-fsbp-v1.0.0/rds/27
- /frameworks/aws-fsbp-v1.0.0/redshift/06
- /frameworks/aws-fsbp-v1.0.0/redshift/08
- /frameworks/aws-fsbp-v1.0.0/redshift/09
- /frameworks/aws-fsbp-v1.0.0/redshift/10
- /frameworks/aws-fsbp-v1.0.0/s3/06
- /frameworks/aws-fsbp-v1.0.0/sqs/01
- /frameworks/aws-fsbp-v1.0.0/ssm/01
- /frameworks/aws-fsbp-v1.0.0/ssm/03
- /frameworks/aws-fsbp-v1.0.0/waf/04
- /frameworks/aws-fsbp-v1.0.0/waf/06
- /frameworks/aws-fsbp-v1.0.0/waf/07
- /frameworks/aws-fsbp-v1.0.0/waf/10
Internal
- ID: dec-c-51947ffc

Similar Sections (Take Policies From)

Section	Internal Rules	Policies	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [APIGateway.5] API Gateway REST API cache data should be encrypted at rest			no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [AutoScaling.3] Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)	1	1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [AutoScaling.9] Amazon EC2 Auto Scaling groups should use Amazon EC2 launch templates	1	1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests	1	1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [CloudTrail.2] CloudTrail should have encryption at-rest enabled		1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [CodeBuild.3] CodeBuild S3 logs should be encrypted			no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest		1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled			no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest	1	1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [DynamoDB.6] DynamoDB tables should have deletion protection enabled			no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.3] Attached Amazon EBS volumes should be encrypted at-rest		3	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.4] Stopped EC2 instances should be removed after a specified time period			no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.7] EBS default encryption should be enabled	1	1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.19] Security groups should not allow unrestricted access to ports with high risk		10	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389		1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests		1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ECR.2] ECR private repositories should have tag immutability configured	1	1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ECR.3] ECR repositories should have at least one lifecycle policy configured	1	1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ECS.3] ECS task definitions should not share the host's process namespace		1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ECS.8] Secrets should not be passed as container environment variables		1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EFS.1] Elastic File System should be configured to encrypt file data at-rest using AWS KMS	1	2	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EKS.2] EKS clusters should run on a supported Kubernetes version			no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ElastiCache.4] ElastiCache replication groups should be encrypted at rest		1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ELB.6] Application, Gateway, and Network Load Balancers should have deletion protection enabled			no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ELB.7] Classic Load Balancers should have connection draining enabled			no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ELB.12] Application Load Balancer should be configured with defensive or strictest desync mitigation mode		1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ELB.14] Classic Load Balancer should be configured with defensive or strictest desync mitigation mode		1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EMR.3] Amazon EMR security configurations should be encrypted at rest		1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ES.1] Elasticsearch domains should have encryption at-rest enabled		1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes			no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Kinesis.1] Kinesis streams should be encrypted at rest		1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Lambda.2] Lambda functions should use supported runtimes			no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Macie.1] Amazon Macie should be enabled			no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Macie.2] Macie automated sensitive data discovery should be enabled			no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Neptune.1] Neptune DB clusters should be encrypted at rest			no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Neptune.4] Neptune DB clusters should have deletion protection enabled			no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Neptune.6] Neptune DB cluster snapshots should be encrypted at rest		1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Neptune.8] Neptune DB clusters should be configured to copy tags to snapshots			no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [NetworkFirewall.3] Network Firewall policies should have at least one rule group associated		1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [NetworkFirewall.4] The default stateless action for Network Firewall policies should be drop or forward for full packets		1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [NetworkFirewall.5] The default stateless action for Network Firewall policies should be drop or forward for fragmented packets		1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [NetworkFirewall.9] Network Firewall firewalls should have deletion protection enabled		1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [NetworkFirewall.10] Network Firewall firewalls should have subnet change protection enabled		1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Opensearch.1] OpenSearch domains should have encryption at rest enabled		1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [PCA.1] AWS Private CA root certificate authority should be disabled			no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.3] RDS DB instances should have encryption at-rest enabled	1	1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.4] RDS cluster snapshots and database snapshots should be encrypted at rest		1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.16] RDS DB clusters should be configured to copy tags to snapshots			no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.17] RDS DB instances should be configured to copy tags to snapshots			no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.24] RDS Database clusters should use a custom administrator username			no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.25] RDS database instances should use a custom administrator username			no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.27] RDS DB clusters should be encrypted at rest		1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Redshift.6] Amazon Redshift should have automatic upgrades to major versions enabled			no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Redshift.8] Amazon Redshift clusters should not use the default Admin username			no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Redshift.9] Redshift clusters should not use the default database name			no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Redshift.10] Redshift clusters should be encrypted at rest			no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [S3.6] S3 general purpose bucket policies should restrict access to other AWS accounts			no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [SQS.1] Amazon SQS queues should be encrypted at rest			no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [SSM.1] Amazon EC2 instances should be managed by AWS Systems Manager			no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [SSM.3] Amazon EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT			no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [WAF.4] AWS WAF Classic Regional web ACLs should have at least one rule or rule group		1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [WAF.6] AWS WAF Classic global rules should have at least one condition			no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [WAF.7] AWS WAF Classic global rule groups should have at least one rule		1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [WAF.10] AWS WAF web ACLs should have at least one rule or rule group		1	no data

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance

Policies (43)

Policy	Logic Count	Flags	Compliance
🛡️ AWS Account EBS Volume Encryption Attribute is not enabled in all regions🟢	1	🟢 x6	no data
🛡️ AWS CloudFront Web Distribution uses Dedicated IP for SSL🟢	1	🟢 x6	no data
🛡️ AWS CloudTrail is not encrypted with KMS CMK🟢	1	🟢 x6	no data
🛡️ AWS DAX Cluster Server-Side Encryption is not enabled🟢	1	🟢 x6	no data
🛡️ AWS EBS Attached Volume is not encrypted🟢	1	🟢 x6	no data
🛡️ AWS EBS Attached Volume is not encrypted with KMS CMK🟢	1	🟢 x6	no data
🛡️ AWS EBS Snapshot is not encrypted🟢	1	🟢 x6	no data
🛡️ AWS EC2 Auto Scaling Group Launch Template is not configured to require IMDSv2🟢	1	🟢 x6	no data
🛡️ AWS EC2 Auto Scaling Group uses Launch Configuration instead of Launch Template🟢	1	🟢 x6	no data
🛡️ AWS EC2 Security Group allows public IPv4 (0.0.0.0/0) access to admin ports🟢	1	🟢 x6	no data
🛡️ AWS EC2 Security Group allows public IPv6 (::/0) access to admin ports🟢	1	🟢 x6	no data
🛡️ AWS EC2 Security Group allows unrestricted CIFS traffic🟢	1	🟢 x6	no data
🛡️ AWS EC2 Security Group allows unrestricted FTP traffic🟢	1	🟢 x6	no data
🛡️ AWS EC2 Security Group allows unrestricted RPC traffic🟢	1	🟢 x6	no data
🛡️ AWS EC2 Security Group allows unrestricted SMTP traffic🟢	1	🟢 x6	no data
🛡️ AWS EC2 Security Group allows unrestricted traffic to MSSQL🟢	1	🟢 x6	no data
🛡️ AWS EC2 Security Group allows unrestricted traffic to MySQL🟢	1	🟢 x6	no data
🛡️ AWS EC2 Security Group allows unrestricted traffic to PostgreSQL🟢	1	🟢 x6	no data
🛡️ AWS EC2 Security Group allows unrestricted Telnet traffic🟢	1	🟢 x6	no data
🛡️ AWS ECR Repository Image Tag Mutability is set to Mutable🟢	1	🟢 x6	no data
🛡️ AWS ECR Repository Lifecycle Policy is not configured🟢	1	🟢 x6	no data
🛡️ AWS ECS Task Definition passes secrets as container environment variables🟢	1	🟢 x6	no data
🛡️ AWS ECS Task Definition shares the host's process namespace🟢	1	🟢 x6	no data
🛡️ AWS EFS File System encryption is not enabled🟢	1	🟢 x6	no data
🛡️ AWS EFS File System is not encrypted with KMS CMK🟢	1	🟢 x6	no data
🛡️ AWS ElastiCache Replication Group is not encrypted at rest🟢	1	🟢 x6	no data
🛡️ AWS ELB Load Balancer is not configured with defensive or strictest desync mitigation mode🟢	1	🟢 x6	no data
🛡️ AWS EMR Cluster encryption is disabled🟢⚪		🟢 x2, ⚪ x1	no data
🛡️ AWS Kinesis Stream is not encrypted at rest🟢	1	🟢 x6	no data
🛡️ AWS Network Firewall Delete Protection is not enabled🟢	1	🟢 x6	no data
🛡️ AWS Network Firewall Policy is not associated with a rule group🟢	1	🟢 x6	no data
🛡️ AWS Network Firewall Policy Stateless Default Action is not Drop or Forward🟢	1	🟢 x6	no data
🛡️ AWS Network Firewall Subnet Change Protection is not enabled🟢	1	🟢 x6	no data
🛡️ AWS OpenSearch Domain is not encrypted at rest🟢	1	🟢 x6	no data
🛡️ AWS RDS Cluster Encryption is not enabled🟢	1	🟢 x6	no data
🛡️ AWS RDS Instance Encryption is not enabled🟢	1	🟢 x6	no data
🛡️ AWS RDS Snapshot is not encrypted🟢	1	🟢 x6	no data
🛡️ AWS S3 Bucket is not encrypted with a KMS key🟢	1	🟢 x6	no data
🛡️ AWS SNS Topic is not encrypted with a KMS key🟢	1	🟢 x6	no data
🛡️ AWS VPC Network ACL exposes admin ports to public internet ports🟢	1	🟢 x6	no data
🛡️ AWS VPC Transit Gateway Auto Accept Shared Attachments is enabled🟢	1	🟢 x6	no data
🛡️ AWS WAF Rule Group has no WAF Rules🟢	1	🟠 x1, 🟢 x5	no data
🛡️ AWS WAF Web ACL has no WAF Rules or WAF Rule Groups🟢	1	🟠 x1, 🟢 x5	no data

Description​

Similar​

Similar Sections (Take Policies From)​

Sub Sections​

Policies (43)​

Description

Similar

Similar Sections (Take Policies From)

Sub Sections

Policies (43)