Skip to main content

πŸ’Ό CA-9(1) Internal System Connections | Compliance Checks

  • Contextual name: πŸ’Ό CA-9(1) Internal System Connections | Compliance Checks
  • ID: /frameworks/nist-sp-800-53-r5/ca/09/01
  • Located in: πŸ’Ό CA-9 Internal System Connections

Description​

Perform security and privacy compliance checks on constituent system components prior to the establishment of the internal connection.

Similar​

  • Sections
    • /frameworks/aws-fsbp-v1.0.0/api-gateway/05
    • /frameworks/aws-fsbp-v1.0.0/auto-scaling/03
    • /frameworks/aws-fsbp-v1.0.0/auto-scaling/09
    • /frameworks/aws-fsbp-v1.0.0/cloudfront/08
    • /frameworks/aws-fsbp-v1.0.0/cloudtrail/02
    • /frameworks/aws-fsbp-v1.0.0/codebuild/03
    • /frameworks/aws-fsbp-v1.0.0/documentdb/01
    • /frameworks/aws-fsbp-v1.0.0/documentdb/05
    • /frameworks/aws-fsbp-v1.0.0/dynamodb/03
    • /frameworks/aws-fsbp-v1.0.0/dynamodb/06
    • /frameworks/aws-fsbp-v1.0.0/ec2/03
    • /frameworks/aws-fsbp-v1.0.0/ec2/04
    • /frameworks/aws-fsbp-v1.0.0/ec2/07
    • /frameworks/aws-fsbp-v1.0.0/ec2/19
    • /frameworks/aws-fsbp-v1.0.0/ec2/21
    • /frameworks/aws-fsbp-v1.0.0/ec2/23
    • /frameworks/aws-fsbp-v1.0.0/ecr/02
    • /frameworks/aws-fsbp-v1.0.0/ecr/03
    • /frameworks/aws-fsbp-v1.0.0/ecs/03
    • /frameworks/aws-fsbp-v1.0.0/ecs/08
    • /frameworks/aws-fsbp-v1.0.0/efs/01
    • /frameworks/aws-fsbp-v1.0.0/eks/02
    • /frameworks/aws-fsbp-v1.0.0/elasticache/04
    • /frameworks/aws-fsbp-v1.0.0/elb/06
    • /frameworks/aws-fsbp-v1.0.0/elb/07
    • /frameworks/aws-fsbp-v1.0.0/elb/12
    • /frameworks/aws-fsbp-v1.0.0/elb/14
    • /frameworks/aws-fsbp-v1.0.0/emr/03
    • /frameworks/aws-fsbp-v1.0.0/es/01
    • /frameworks/aws-fsbp-v1.0.0/fsx/01
    • /frameworks/aws-fsbp-v1.0.0/kinesis/01
    • /frameworks/aws-fsbp-v1.0.0/lambda/02
    • /frameworks/aws-fsbp-v1.0.0/macie/01
    • /frameworks/aws-fsbp-v1.0.0/macie/02
    • /frameworks/aws-fsbp-v1.0.0/neptune/01
    • /frameworks/aws-fsbp-v1.0.0/neptune/04
    • /frameworks/aws-fsbp-v1.0.0/neptune/06
    • /frameworks/aws-fsbp-v1.0.0/neptune/08
    • /frameworks/aws-fsbp-v1.0.0/network-firewall/03
    • /frameworks/aws-fsbp-v1.0.0/network-firewall/04
    • /frameworks/aws-fsbp-v1.0.0/network-firewall/05
    • /frameworks/aws-fsbp-v1.0.0/network-firewall/09
    • /frameworks/aws-fsbp-v1.0.0/network-firewall/10
    • /frameworks/aws-fsbp-v1.0.0/opensearch/01
    • /frameworks/aws-fsbp-v1.0.0/pca/01
    • /frameworks/aws-fsbp-v1.0.0/rds/03
    • /frameworks/aws-fsbp-v1.0.0/rds/04
    • /frameworks/aws-fsbp-v1.0.0/rds/16
    • /frameworks/aws-fsbp-v1.0.0/rds/17
    • /frameworks/aws-fsbp-v1.0.0/rds/24
    • /frameworks/aws-fsbp-v1.0.0/rds/25
    • /frameworks/aws-fsbp-v1.0.0/rds/27
    • /frameworks/aws-fsbp-v1.0.0/redshift/06
    • /frameworks/aws-fsbp-v1.0.0/redshift/08
    • /frameworks/aws-fsbp-v1.0.0/redshift/09
    • /frameworks/aws-fsbp-v1.0.0/redshift/10
    • /frameworks/aws-fsbp-v1.0.0/s3/06
    • /frameworks/aws-fsbp-v1.0.0/sqs/01
    • /frameworks/aws-fsbp-v1.0.0/ssm/01
    • /frameworks/aws-fsbp-v1.0.0/ssm/03
    • /frameworks/aws-fsbp-v1.0.0/waf/04
    • /frameworks/aws-fsbp-v1.0.0/waf/06
    • /frameworks/aws-fsbp-v1.0.0/waf/07
    • /frameworks/aws-fsbp-v1.0.0/waf/10
  • Internal
    • ID: dec-c-51947ffc

Similar Sections (Take Policies From)​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [APIGateway.5] API Gateway REST API cache data should be encrypted at rest
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [AutoScaling.3] Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [AutoScaling.9] Amazon EC2 Auto Scaling groups should use Amazon EC2 launch templates
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [CloudTrail.2] CloudTrail should have encryption at-rest enabled1
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [CodeBuild.3] CodeBuild S3 logs should be encrypted
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [DynamoDB.6] DynamoDB tables should have deletion protection enabled
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [EC2.3] Attached Amazon EBS volumes should be encrypted at-rest
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [EC2.4] Stopped EC2 instances should be removed after a specified time period
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [EC2.7] EBS default encryption should be enabled11
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [EC2.19] Security groups should not allow unrestricted access to ports with high risk10
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 33891
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [ECR.2] ECR private repositories should have tag immutability configured
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [ECR.3] ECR repositories should have at least one lifecycle policy configured
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [ECS.3] ECS task definitions should not share the host's process namespace
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [ECS.8] Secrets should not be passed as container environment variables
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [EFS.1] Elastic File System should be configured to encrypt file data at-rest using AWS KMS11
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [EKS.2] EKS clusters should run on a supported Kubernetes version
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [ElastiCache.4] ElastiCache replication groups should be encrypted at rest
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [ELB.6] Application, Gateway, and Network Load Balancers should have deletion protection enabled
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [ELB.7] Classic Load Balancers should have connection draining enabled
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [ELB.12] Application Load Balancer should be configured with defensive or strictest desync mitigation mode
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [ELB.14] Classic Load Balancer should be configured with defensive or strictest desync mitigation mode
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [EMR.3] Amazon EMR security configurations should be encrypted at rest
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [ES.1] Elasticsearch domains should have encryption at-rest enabled
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [FSx.1] FSx for OpenZFS file systems should be configured to copy tags to backups and volumes
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [Kinesis.1] Kinesis streams should be encrypted at rest
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [Lambda.2] Lambda functions should use supported runtimes
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [Macie.1] Amazon Macie should be enabled
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [Macie.2] Macie automated sensitive data discovery should be enabled
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [Neptune.1] Neptune DB clusters should be encrypted at rest
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [Neptune.4] Neptune DB clusters should have deletion protection enabled
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [Neptune.6] Neptune DB cluster snapshots should be encrypted at rest
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [Neptune.8] Neptune DB clusters should be configured to copy tags to snapshots
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [NetworkFirewall.3] Network Firewall policies should have at least one rule group associated
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [NetworkFirewall.4] The default stateless action for Network Firewall policies should be drop or forward for full packets
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [NetworkFirewall.5] The default stateless action for Network Firewall policies should be drop or forward for fragmented packets
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [NetworkFirewall.9] Network Firewall firewalls should have deletion protection enabled
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [NetworkFirewall.10] Network Firewall firewalls should have subnet change protection enabled
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [Opensearch.1] OpenSearch domains should have encryption at rest enabled
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [PCA.1] AWS Private CA root certificate authority should be disabled
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [RDS.3] RDS DB instances should have encryption at-rest enabled11
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [RDS.4] RDS cluster snapshots and database snapshots should be encrypted at rest
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [RDS.16] RDS DB clusters should be configured to copy tags to snapshots
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [RDS.17] RDS DB instances should be configured to copy tags to snapshots
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [RDS.24] RDS Database clusters should use a custom administrator username
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [RDS.25] RDS database instances should use a custom administrator username
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [RDS.27] RDS DB clusters should be encrypted at rest
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [Redshift.6] Amazon Redshift should have automatic upgrades to major versions enabled
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [Redshift.8] Amazon Redshift clusters should not use the default Admin username
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [Redshift.9] Redshift clusters should not use the default database name
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [Redshift.10] Redshift clusters should be encrypted at rest
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [S3.6] S3 general purpose bucket policies should restrict access to other AWS accounts
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [SQS.1] Amazon SQS queues should be encrypted at rest
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [SSM.1] Amazon EC2 instances should be managed by AWS Systems Manager
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [SSM.3] Amazon EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [WAF.4] AWS WAF Classic Regional web ACLs should have at least one rule or rule group
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [WAF.6] AWS WAF Classic global rules should have at least one condition
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [WAF.7] AWS WAF Classic global rule groups should have at least one rule
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [WAF.10] AWS WAF web ACLs should have at least one rule or rule group

Sub Sections​

SectionSub SectionsInternal RulesPoliciesFlags

Policies (15)​

PolicyLogic CountFlags
πŸ“ AWS Account EBS Volume Encryption Attribute is not enabled in all regions 🟒1🟒 x6
πŸ“ AWS CloudTrail is not encrypted with KMS CMK 🟒1🟒 x6
πŸ“ AWS EC2 Security Group allows public IPv4 (0.0.0.0/0) access to admin ports 🟒1🟒 x6
πŸ“ AWS EC2 Security Group allows public IPv6 (::/0) access to admin ports 🟒1🟒 x6
πŸ“ AWS EC2 Security Group allows unrestricted CIFS traffic 🟒1🟒 x6
πŸ“ AWS EC2 Security Group allows unrestricted FTP traffic 🟒1🟒 x6
πŸ“ AWS EC2 Security Group allows unrestricted RPC traffic 🟒1🟒 x6
πŸ“ AWS EC2 Security Group allows unrestricted SMTP traffic 🟒1🟒 x6
πŸ“ AWS EC2 Security Group allows unrestricted traffic to MSSQL 🟒1🟒 x6
πŸ“ AWS EC2 Security Group allows unrestricted traffic to MySQL 🟒1🟒 x6
πŸ“ AWS EC2 Security Group allows unrestricted traffic to PostgreSQL 🟒1🟒 x6
πŸ“ AWS EC2 Security Group allows unrestricted Telnet traffic 🟒1🟒 x6
πŸ“ AWS EFS File System encryption is not enabled 🟒1🟒 x6
πŸ“ AWS RDS Instance Encryption is not enabled 🟒1🟒 x6
πŸ“ AWS VPC Network ACL exposes admin ports to public internet ports 🟒1🟒 x6