Skip to main content

💼 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.

  • ID: /frameworks/pci-dss-v3.2.1/01/02/01

Description

Empty...

Similar

  • Sections
    • /frameworks/pci-dss-v4.0/01/03/01
    • /frameworks/pci-dss-v4.0/01/03/02
    • /frameworks/aws-fsbp-v1.0.0/dms/01
    • /frameworks/aws-fsbp-v1.0.0/ec2/01
    • /frameworks/aws-fsbp-v1.0.0/ec2/02
    • /frameworks/aws-fsbp-v1.0.0/emr/01
    • /frameworks/aws-fsbp-v1.0.0/es/02
    • /frameworks/aws-fsbp-v1.0.0/lambda/01
    • /frameworks/aws-fsbp-v1.0.0/opensearch/01
    • /frameworks/aws-fsbp-v1.0.0/opensearch/02
    • /frameworks/aws-fsbp-v1.0.0/rds/01
    • /frameworks/aws-fsbp-v1.0.0/rds/02
    • /frameworks/aws-fsbp-v1.0.0/redshift/01
    • /frameworks/aws-fsbp-v1.0.0/s3/01
    • /frameworks/aws-fsbp-v1.0.0/s3/02
    • /frameworks/aws-fsbp-v1.0.0/s3/03
    • /frameworks/aws-fsbp-v1.0.0/sagemaker/01
  • Internal
    • ID: dec-c-dba9d399

Similar Sections (Take Policies From)

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [DMS.1] Database Migration Service replication instances should not be public11no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.1] Amazon EBS snapshots should not be publicly restorable1no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.2] VPC default security groups should not allow inbound or outbound traffic1no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EMR.1] Amazon EMR cluster primary nodes should not have public IP addressesno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ES.2] Elasticsearch domains should not be publicly accessible1no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Lambda.1] Lambda function policies should prohibit public access1no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Opensearch.1] OpenSearch domains should have encryption at rest enabled1no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Opensearch.2] OpenSearch domains should not be publicly accessible1no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.1] RDS snapshot should be private11no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.2] RDS DB Instances should prohibit public access, as determined by the PubliclyAccessible configuration11no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Redshift.1] Amazon Redshift clusters should prohibit public access1no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [S3.1] S3 general purpose buckets should have block public access settings enabled1no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [S3.2] S3 general purpose buckets should block public read access2no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [S3.3] S3 general purpose buckets should block public write access2no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [SageMaker.1] Amazon SageMaker AI notebook instances should not have direct internet access1no data
💼 PCI DSS v4.0 → 💼 1.3.1 Inbound traffic to the CDE is restricted.967no data
💼 PCI DSS v4.0 → 💼 1.3.2 Outbound traffic from the CDE is restricted.67no data

Similar Sections (Give Policies To)

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 PCI DSS v4.0 → 💼 1.3.1 Inbound traffic to the CDE is restricted.967no data
💼 PCI DSS v4.0 → 💼 1.3.2 Outbound traffic from the CDE is restricted.67no data

Sub Sections

SectionSub SectionsInternal RulesPoliciesFlagsCompliance

Policies (67)

PolicyLogic CountFlagsCompliance
🛡️ AWS DMS Replication Instance is publicly accessible🟢1🟢 x6no data
🛡️ AWS EBS Snapshot is publicly accessible🟢1🟢 x6no data
🛡️ AWS EC2 Default Security Group does not restrict all traffic🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted CIFS traffic🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted DNS traffic🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted FTP traffic🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted ICMP traffic🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted NetBIOS traffic🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted RPC traffic🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted SMTP traffic🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted traffic to MongoDB🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted traffic to MSSQL🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted traffic to MySQL🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted traffic to Oracle DBMS🟢1🟢 x6no data
🛡️ AWS EC2 Security Group allows unrestricted traffic to PostgreSQL🟢1🟢 x6no data
🛡️ AWS Lambda Function allows public access🟢1🟠 x1, 🟢 x5no data
🛡️ AWS Lambda Function is not in a VPC🟢1🟢 x6no data
🛡️ AWS OpenSearch Domain has a public endpoint🟢1🟢 x6no data
🛡️ AWS OpenSearch Domain is not encrypted at rest🟢1🟢 x6no data
🛡️ AWS RDS Instance is publicly accessible🟢1🟢 x6no data
🛡️ AWS RDS Snapshot is publicly accessible🟢1🟢 x6no data
🛡️ AWS Redshift Cluster is publicly accessible🟢1🟢 x6no data
🛡️ AWS Redshift Cluster security group allows unrestricted access on the cluster port🟢1🟢 x6no data
🛡️ AWS S3 Bucket ACL allows public read or write access🟢1🟢 x6no data
🛡️ AWS S3 Bucket is not configured to block public access🟢1🟢 x6no data
🛡️ AWS S3 Bucket Policy allows public read or write access🟢1🟢 x6no data
🛡️ AWS SageMaker Notebook Instance Direct Internet Access is not disabled🟢1🟢 x6no data
🛡️ AWS VPC Network ACL exposes admin ports to public internet ports🟢1🟢 x6no data
🛡️ Azure Cosmos DB Account Virtual Network Filter is not enabled🟢1🟢 x6no data
🛡️ Azure Network Security Group allows public access to HTTP(S) ports🟢1🟢 x6no data
🛡️ Azure SQL Database allows ingress from 0.0.0.0/0 (ANY IP)🟢1🟢 x6no data
🛡️ Google BigQuery Dataset is anonymously or publicly accessible🟢1🟢 x6no data
🛡️ Google Cloud MySQL Instance Skip_show_database Database Flag is not set to on🟢1🟢 x6no data
🛡️ Google Cloud SQL Instance External Authorized Networks whitelists all public IP addresses🟢1🟢 x6no data
🛡️ Google Cloud SQL Instance has public IP addresses🟢1🟢 x6no data
🛡️ Google Cloud SQL Server Instance cross db ownership chaining Database Flag is not set to off🟢1🟢 x6no data
🛡️ Google GCE Instance has a public IP address🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted CiscoSecure/WebSM traffic🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted DNS traffic🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted FTP traffic🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted HTTP traffic🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted LDAP traffic🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted NetBIOS traffic🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted POP3 traffic🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted SMTP traffic🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted SSH traffic🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted traffic to all ports🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted traffic to Cassandra🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted traffic to Directory services"🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted traffic to Elasticsearch🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted traffic to Memcached🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted traffic to MongoDB🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted traffic to MySQL🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted traffic to OracleDB🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted traffic to PostgreSQL🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted traffic to Redis🟢1🟢 x6no data
🛡️ Google GCE Network allows unrestricted Telnet traffic🟢1🟢 x6no data
🛡️ Google GKE Cluster Control Plane Authorized Networks are disabled🟢1🟢 x6no data
🛡️ Google IAM Users are assigned the Service Account User or Service Account Token Creator roles at Project level🟢1🟢 x6no data
🛡️ Google KMS Crypto Key is anonymously or publicly accessible🟠🟢⚪🟠 x1, 🟢 x2, ⚪ x1no data
🛡️ Google Logging Log Sink exports logs to a Storage Bucket without Bucket Lock🟢1🟢 x6no data
🛡️ Google Project with KMS keys has a principal with Owner role🟢1🟢 x6no data
🛡️ Google Storage Bucket is anonymously or publicly accessible🟢1🟢 x6no data
🛡️ Google Storage Bucket Uniform Bucket-Level Access is not enabled🟢1🟢 x6no data
🛡️ Google User has both Service Account Admin and Service Account User roles assigned🟢1🟢 x6no data
🛡️ Oracle IAAS Security List allows unrestricted RDP traffic🟢1🟢 x6no data
🛡️ Oracle IAAS Security List allows unrestricted SSH traffic🟢1🟢 x6no data

Internal Rules

RulePoliciesFlags
✉️ dec-x-3e379c671
✉️ dec-x-6eab9b881
✉️ dec-x-11c3009f1
✉️ dec-x-42a090841
✉️ dec-x-293ab45b1
✉️ dec-x-66358b451
✉️ dec-x-ca1c0c0d1
✉️ dec-x-f12d78aa1
✉️ dec-z-dbeeed9f1
✉️ dec-z-f778950c1