Skip to main content

πŸ’Ό SC-13 Cryptographic Protection

Description​

a. Determine the [Assignment: organization-defined cryptographic uses]; and b. Implement the following types of cryptography required for each specified cryptographic use: [Assignment: organization-defined types of cryptography for each specified cryptographic use].

Similar​

  • Sections
    • /frameworks/aws-fsbp-v1.0.0/api-gateway/02
    • /frameworks/aws-fsbp-v1.0.0/api-gateway/05
    • /frameworks/aws-fsbp-v1.0.0/cloudfront/03
    • /frameworks/aws-fsbp-v1.0.0/cloudfront/07
    • /frameworks/aws-fsbp-v1.0.0/cloudfront/08
    • /frameworks/aws-fsbp-v1.0.0/cloudfront/10
    • /frameworks/aws-fsbp-v1.0.0/cloudtrail/02
    • /frameworks/aws-fsbp-v1.0.0/codebuild/03
    • /frameworks/aws-fsbp-v1.0.0/data-firehouse/01
    • /frameworks/aws-fsbp-v1.0.0/dms/09
    • /frameworks/aws-fsbp-v1.0.0/dms/12
    • /frameworks/aws-fsbp-v1.0.0/documentdb/01
    • /frameworks/aws-fsbp-v1.0.0/dynamodb/03
    • /frameworks/aws-fsbp-v1.0.0/dynamodb/07
    • /frameworks/aws-fsbp-v1.0.0/ec2/03
    • /frameworks/aws-fsbp-v1.0.0/ec2/07
    • /frameworks/aws-fsbp-v1.0.0/efs/01
    • /frameworks/aws-fsbp-v1.0.0/eks/03
    • /frameworks/aws-fsbp-v1.0.0/elasticache/04
    • /frameworks/aws-fsbp-v1.0.0/elasticache/05
    • /frameworks/aws-fsbp-v1.0.0/elb/01
    • /frameworks/aws-fsbp-v1.0.0/elb/02
    • /frameworks/aws-fsbp-v1.0.0/elb/03
    • /frameworks/aws-fsbp-v1.0.0/elb/08
    • /frameworks/aws-fsbp-v1.0.0/elb/17
    • /frameworks/aws-fsbp-v1.0.0/emr/04
    • /frameworks/aws-fsbp-v1.0.0/es/01
    • /frameworks/aws-fsbp-v1.0.0/es/03
    • /frameworks/aws-fsbp-v1.0.0/es/08
    • /frameworks/aws-fsbp-v1.0.0/kinesis/01
    • /frameworks/aws-fsbp-v1.0.0/msk/01
    • /frameworks/aws-fsbp-v1.0.0/neptune/01
    • /frameworks/aws-fsbp-v1.0.0/neptune/06
    • /frameworks/aws-fsbp-v1.0.0/opensearch/01
    • /frameworks/aws-fsbp-v1.0.0/opensearch/03
    • /frameworks/aws-fsbp-v1.0.0/opensearch/08
    • /frameworks/aws-fsbp-v1.0.0/rds/03
    • /frameworks/aws-fsbp-v1.0.0/rds/04
    • /frameworks/aws-fsbp-v1.0.0/rds/27
    • /frameworks/aws-fsbp-v1.0.0/redshift/02
    • /frameworks/aws-fsbp-v1.0.0/redshift/10
    • /frameworks/aws-fsbp-v1.0.0/s3/05
    • /frameworks/aws-fsbp-v1.0.0/sqs/01
  • Internal
    • ID: dec-c-76385c86

Similar Sections (Take Policies From)​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [APIGateway.2] API Gateway REST API stages should be configured to use SSL certificates for backend authentication"11
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [APIGateway.5] API Gateway REST API cache data should be encrypted at rest
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [CloudFront.3] CloudFront distributions should require encryption in transit
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [CloudTrail.2] CloudTrail should have encryption at-rest enabled1
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [CodeBuild.3] CodeBuild S3 logs should be encrypted
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [DataFirehose.1] Firehose delivery streams should be encrypted at rest
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [DMS.9] DMS endpoints should use SSL
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [DMS.12] DMS endpoints for Redis OSS should have TLS enabled
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [DocumentDB.1] Amazon DocumentDB clusters should be encrypted at rest
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [DynamoDB.7] DynamoDB Accelerator clusters should be encrypted in transit
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [EC2.3] Attached Amazon EBS volumes should be encrypted at-rest
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [EC2.7] EBS default encryption should be enabled11
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [EFS.1] Elastic File System should be configured to encrypt file data at-rest using AWS KMS11
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [EKS.3] EKS clusters should use encrypted Kubernetes secrets
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [ElastiCache.4] ElastiCache replication groups should be encrypted at rest
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [ElastiCache.5] ElastiCache replication groups should be encrypted in transit
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [ELB.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [ELB.2] Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [ELB.3] Classic Load Balancer listeners should be configured with HTTPS or TLS termination
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [ELB.8] Classic Load Balancers with SSL listeners should use a predefined security policy that has strong AWS Configuration
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [ELB.17] Application and Network Load Balancers with listeners should use recommended security policies
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [EMR.4] Amazon EMR security configurations should be encrypted in transit
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [ES.1] Elasticsearch domains should have encryption at-rest enabled
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [ES.3] Elasticsearch domains should encrypt data sent between nodes
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [ES.8] Connections to Elasticsearch domains should be encrypted using the latest TLS security policy
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [Kinesis.1] Kinesis streams should be encrypted at rest
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [MSK.1] MSK clusters should be encrypted in transit among broker nodes
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [Neptune.1] Neptune DB clusters should be encrypted at rest
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [Neptune.6] Neptune DB cluster snapshots should be encrypted at rest
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [Opensearch.1] OpenSearch domains should have encryption at rest enabled
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [Opensearch.3] OpenSearch domains should encrypt data sent between nodes
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [Opensearch.8] Connections to OpenSearch domains should be encrypted using the latest TLS security policy
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [RDS.3] RDS DB instances should have encryption at-rest enabled11
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [RDS.4] RDS cluster snapshots and database snapshots should be encrypted at rest
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [RDS.27] RDS DB clusters should be encrypted at rest
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [Redshift.2] Connections to Amazon Redshift clusters should be encrypted in transit
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [Redshift.10] Redshift clusters should be encrypted at rest
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [S3.5] S3 general purpose buckets should require requests to use SSL11
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [SQS.1] Amazon SQS queues should be encrypted at rest

Similar Sections (Give Policies To)​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)1316
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)16
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected81
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected68
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected66

Sub Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό SC-13(1) Cryptographic Protection _ FIPS-validated Cryptography
πŸ’Ό SC-13(2) Cryptographic Protection _ NSA-approved Cryptography
πŸ’Ό SC-13(3) Cryptographic Protection _ Individuals Without Formal Access Approvals
πŸ’Ό SC-13(4) Cryptographic Protection _ Digital Signatures

Policies (6)​

PolicyLogic CountFlags
πŸ“ AWS Account EBS Volume Encryption Attribute is not enabled in all regions 🟒1🟒 x6
πŸ“ AWS API Gateway REST API Stage is not configured to use an SSL certificate for authentication 🟒1🟒 x6
πŸ“ AWS CloudTrail is not encrypted with KMS CMK 🟒1🟒 x6
πŸ“ AWS EFS File System encryption is not enabled 🟒1🟒 x6
πŸ“ AWS RDS Instance Encryption is not enabled 🟒1🟒 x6
πŸ“ AWS S3 Bucket Policy is not set to deny HTTP requests 🟒1🟒 x6