💼 SC-7(9) Boundary Protection | Restrict Threatening Outgoing Communications Traffic

ID: /frameworks/nist-sp-800-53-r5/sc/07/09

Description

(a) Detect and deny outgoing communications traffic posing a threat to external systems; and (b) Audit the identity of internal users associated with denied communications.

Similar

Sections
- /frameworks/aws-fsbp-v1.0.0/api-gateway/01
- /frameworks/aws-fsbp-v1.0.0/api-gateway/09
- /frameworks/aws-fsbp-v1.0.0/auto-scaling/05
- /frameworks/aws-fsbp-v1.0.0/cloudfront/05
- /frameworks/aws-fsbp-v1.0.0/cloudtrail/01
- /frameworks/aws-fsbp-v1.0.0/cloudtrail/05
- /frameworks/aws-fsbp-v1.0.0/codebuild/04
- /frameworks/aws-fsbp-v1.0.0/dms/01
- /frameworks/aws-fsbp-v1.0.0/dms/07
- /frameworks/aws-fsbp-v1.0.0/dms/08
- /frameworks/aws-fsbp-v1.0.0/documentdb/03
- /frameworks/aws-fsbp-v1.0.0/documentdb/04
- /frameworks/aws-fsbp-v1.0.0/ec2/01
- /frameworks/aws-fsbp-v1.0.0/ec2/09
- /frameworks/aws-fsbp-v1.0.0/ec2/15
- /frameworks/aws-fsbp-v1.0.0/ec2/25
- /frameworks/aws-fsbp-v1.0.0/ec2/51
- /frameworks/aws-fsbp-v1.0.0/ecs/02
- /frameworks/aws-fsbp-v1.0.0/ecs/09
- /frameworks/aws-fsbp-v1.0.0/eks/01
- /frameworks/aws-fsbp-v1.0.0/eks/08
- /frameworks/aws-fsbp-v1.0.0/elb/05
- /frameworks/aws-fsbp-v1.0.0/emr/01
- /frameworks/aws-fsbp-v1.0.0/emr/02
- /frameworks/aws-fsbp-v1.0.0/es/02
- /frameworks/aws-fsbp-v1.0.0/es/04
- /frameworks/aws-fsbp-v1.0.0/es/05
- /frameworks/aws-fsbp-v1.0.0/lambda/01
- /frameworks/aws-fsbp-v1.0.0/neptune/02
- /frameworks/aws-fsbp-v1.0.0/neptune/03
- /frameworks/aws-fsbp-v1.0.0/network-firewall/02
- /frameworks/aws-fsbp-v1.0.0/opensearch/02
- /frameworks/aws-fsbp-v1.0.0/opensearch/04
- /frameworks/aws-fsbp-v1.0.0/opensearch/05
- /frameworks/aws-fsbp-v1.0.0/route-53/02
- /frameworks/aws-fsbp-v1.0.0/rds/01
- /frameworks/aws-fsbp-v1.0.0/rds/09
- /frameworks/aws-fsbp-v1.0.0/rds/34
- /frameworks/aws-fsbp-v1.0.0/rds/40
- /frameworks/aws-fsbp-v1.0.0/rds/42
- /frameworks/aws-fsbp-v1.0.0/rds/45
- /frameworks/aws-fsbp-v1.0.0/redshift/01
- /frameworks/aws-fsbp-v1.0.0/redshift/04
- /frameworks/aws-fsbp-v1.0.0/redshift/07
- /frameworks/aws-fsbp-v1.0.0/s3/01
- /frameworks/aws-fsbp-v1.0.0/s3/02
- /frameworks/aws-fsbp-v1.0.0/s3/03
- /frameworks/aws-fsbp-v1.0.0/s3/09
- /frameworks/aws-fsbp-v1.0.0/s3/19
- /frameworks/aws-fsbp-v1.0.0/sagemaker/01
- /frameworks/aws-fsbp-v1.0.0/sagemaker/02
- /frameworks/aws-fsbp-v1.0.0/ssm/04
- /frameworks/aws-fsbp-v1.0.0/transfer-family/03
- /frameworks/aws-fsbp-v1.0.0/waf/01
- /frameworks/aws-fsbp-v1.0.0/waf/12
Internal
- ID: dec-c-5441a40d

Similar Sections (Take Policies From)

Section	Internal Rules	Policies	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [APIGateway.1] API Gateway REST and WebSocket API execution logging should be enabled	1	1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [APIGateway.9] Access logging should be configured for API Gateway V2 Stages	1	1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [AutoScaling.5] Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses	1	1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [CloudFront.5] CloudFront distributions should have logging enabled	1	1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events	1	1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [CloudTrail.5] CloudTrail trails should be integrated with Amazon CloudWatch Logs			no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [CodeBuild.4] CodeBuild project environments should have a logging AWS Configuration			no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [DMS.1] Database Migration Service replication instances should not be public	1	1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [DMS.7] DMS replication tasks for the target database should have logging enabled		1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [DMS.8] DMS replication tasks for the source database should have logging enabled		1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [DocumentDB.3] Amazon DocumentDB manual cluster snapshots should not be public			no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [DocumentDB.4] Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs		1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.1] Amazon EBS snapshots should not be publicly restorable		1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.9] Amazon EC2 instances should not have a public IPv4 address		1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.15] Amazon EC2 subnets should not automatically assign public IP addresses		1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces			no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.51] EC2 Client VPN endpoints should have client connection logging enabled			no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ECS.2] ECS services should not have public IP addresses assigned to them automatically		1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ECS.9] ECS task definitions should have a logging configuration		1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EKS.1] EKS cluster endpoints should not be publicly accessible		1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EKS.8] EKS clusters should have audit logging enabled		1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ELB.5] Application and Classic Load Balancers logging should be enabled		1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EMR.1] Amazon EMR cluster primary nodes should not have public IP addresses			no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EMR.2] Amazon EMR block public access setting should be enabled			no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ES.2] Elasticsearch domains should not be publicly accessible		1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled		1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ES.5] Elasticsearch domains should have audit logging enabled		1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Lambda.1] Lambda function policies should prohibit public access		1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Neptune.2] Neptune DB clusters should publish audit logs to CloudWatch Logs		1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Neptune.3] Neptune DB cluster snapshots should not be public			no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [NetworkFirewall.2] Network Firewall logging should be enabled			no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Opensearch.2] OpenSearch domains should not be publicly accessible		1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled		1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Opensearch.5] OpenSearch domains should have audit logging enabled		1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.1] RDS snapshot should be private	1	1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.9] RDS DB instances should publish logs to CloudWatch Logs		1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.34] Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs		1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.40] RDS for SQL Server DB instances should publish logs to CloudWatch Logs		1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.42] RDS for MariaDB DB instances should publish logs to CloudWatch Logs			no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.45] Aurora MySQL DB clusters should have audit logging enabled			no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Redshift.1] Amazon Redshift clusters should prohibit public access		1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Redshift.4] Amazon Redshift clusters should have audit logging enabled		1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Redshift.7] Redshift clusters should use enhanced VPC routing		1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Route53.2] Route 53 public hosted zones should log DNS queries			no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [S3.1] S3 general purpose buckets should have block public access settings enabled		1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [S3.2] S3 general purpose buckets should block public read access		2	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [S3.3] S3 general purpose buckets should block public write access		2	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [S3.9] S3 general purpose buckets should have server access logging enabled	1	2	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [S3.19] S3 access points should have block public access settings enabled		1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [SageMaker.1] Amazon SageMaker AI notebook instances should not have direct internet access		1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [SageMaker.2] SageMaker AI notebook instances should be launched in a custom VPC		1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [SSM.4] SSM documents should not be public			no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Transfer.3] Transfer Family connectors should have logging enabled			no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [WAF.1] AWS WAF Classic Global Web ACL logging should be enabled			no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [WAF.12] AWS WAF rules should have CloudWatch metrics enabled			no data

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance

Policies (34)

Policy	Logic Count	Flags	Compliance
🛡️ AWS Account Multi-Region CloudTrail is not enabled🟢	1	🟢 x6	no data
🛡️ AWS API Gateway API Access Logging in CloudWatch is not enabled🟢	1	🟠 x1, 🟢 x5	no data
🛡️ AWS API Gateway API Execution Logging in CloudWatch is not enabled🟢	1	🟢 x6	no data
🛡️ AWS CloudFront Distribution Logging is not enabled🟢	1	🟢 x6	no data
🛡️ AWS CloudTrail S3 Bucket Access Logging is not enabled.🟢	1	🟢 x6	no data
🛡️ AWS DMS Migration Task Logging is not enabled🟢	1	🟢 x6	no data
🛡️ AWS DMS Replication Instance is publicly accessible🟢	1	🟢 x6	no data
🛡️ AWS EBS Snapshot is publicly accessible🟢	1	🟢 x6	no data
🛡️ AWS EC2 Auto Scaling Group behind ELB assigns public IP to instances🟢	1	🟢 x6	no data
🛡️ AWS EC2 Instance with an auto-assigned public IP address is in a default subnet🟢	1	🟢 x6	no data
🛡️ AWS ECS Service automatically assigns public IP addresses🟢	1	🟢 x6	no data
🛡️ AWS ECS Task Definition logging is not configured🟢	1	🟢 x6	no data
🛡️ AWS EKS Cluster allows unrestricted public traffic🟢	1	🟢 x6	no data
🛡️ AWS EKS Cluster Logging is not enabled for all control plane logs types🟢	1	🟢 x6	no data
🛡️ AWS ELB Load Balancer Access Logging is disabled🟢	1	🟢 x6	no data
🛡️ AWS Lambda Function allows public access🟢	1	🟠 x1, 🟢 x5	no data
🛡️ AWS Lambda Function is not in a VPC🟢	1	🟢 x6	no data
🛡️ AWS OpenSearch Domain audit logging is not enabled🟢	1	🟢 x6	no data
🛡️ AWS OpenSearch Domain error logging is not enabled🟢	1	🟢 x6	no data
🛡️ AWS OpenSearch Domain has a public endpoint🟢	1	🟢 x6	no data
🛡️ AWS RDS Cluster database logging is not enabled🟢	1	🟢 x6	no data
🛡️ AWS RDS Instance database logging is not enabled🟢	1	🟢 x6	no data
🛡️ AWS RDS Snapshot is publicly accessible🟢	1	🟢 x6	no data
🛡️ AWS Redshift Cluster Audit Logging is not enabled🟢	1	🟢 x6	no data
🛡️ AWS Redshift Cluster Enhanced VPC Routing is not enabled🟢	1	🟢 x6	no data
🛡️ AWS Redshift Cluster is publicly accessible🟢	1	🟢 x6	no data
🛡️ AWS S3 Access Point is not configured to block public access🟢	1	🟢 x6	no data
🛡️ AWS S3 Bucket ACL allows public read or write access🟢	1	🟢 x6	no data
🛡️ AWS S3 Bucket is not configured to block public access🟢	1	🟢 x6	no data
🛡️ AWS S3 Bucket Policy allows public read or write access🟢	1	🟢 x6	no data
🛡️ AWS S3 Bucket Server Access Logging is not enabled🟢	1	🟢 x6	no data
🛡️ AWS SageMaker Notebook Instance Direct Internet Access is not disabled🟢	1	🟢 x6	no data
🛡️ AWS SageMaker Notebook Instance is not in a VPC🟢	1	🟢 x6	no data
🛡️ AWS VPC Subnet Map Public IP On Launch is enabled🟢	1	🟢 x6	no data

Description​

Similar​

Similar Sections (Take Policies From)​

Sub Sections​

Policies (34)​

Description

Similar

Similar Sections (Take Policies From)

Sub Sections

Policies (34)