Networking Policies

How to Use this Page

This page lists the AWS Networking Policies that Bridgecrew helps you enforce. You can browse this page, or search for a specific policy ID or short title. For each policy, press the link for more details about a policy and its fix options.

Ensure AWS Security Group does not allow all traffic on SSH port 22
Policy ID: BC_AWS_NETWORKING_1

Ensure Security Groups do not allow ingress from 0.0.0.0/0 to port 3389
Policy ID: BC_AWS_NETWORKING_2

Ensure AWS Default Security Group restricts all traffic
Policy ID: BC_AWS_NETWORKING_4

Ensure VPC peering routing tables have least access
Policy ID: BC_AWS_NETWORKING_5

Ensure EC2 instances do not have security groups attached
Policy ID: BC_AWS_NETWORKING_6

Ensure AWS VPC endpoints are not exposed
Policy ID: BC_AWS_NETWORKING_9

Ensure Security Groups do not have unrestricted access
Policy ID: BC_AWS_NETWORKING_10

Ensure Security Groups accept traffic only from ports 80 and 443
Policy ID: BC_AWS_NETWORKING_11

Ensure EC2 instance does not have unrestricted security group attached
Policy ID: BC_AWS_NETWORKING_12

Ensure RDS database does not have unrestricted security group attached
Policy ID: BC_AWS_NETWORKING_13

Ensure network interface does not have unrestricted security group attached
Policy ID: BC_AWS_NETWORKING_14

Ensure classical load balancer does not have unrestricted security group attached
Policy ID: BC_AWS_NETWORKING_15

Ensure application load balancer does not have unrestricted security group attached
Policy ID: BC_AWS_NETWORKING_16

Ensure Security Group attached to EC2 instance does not allow inbound traffic from all to TCP port 9300 (Elasticsearch)
Policy ID: BC_AWS_NETWORKING_17

Ensure Security Group attached to EC2 instance does not allow inbound traffic from all to TCP port 5601 (Kibana)
Policy ID: BC_AWS_NETWORKING_18

Ensure Security Group attached to EC2 instance does not allow inbound traffic from all to TCP port 6379 (Redis)
Policy ID: BC_AWS_NETWORKING_19

Ensure Security Group attached to EC2 instance does not allow inbound traffic from all to TCP port 2379 (etcd)
Policy ID: BC_AWS_NETWORKING_20

Ensure Security Group attached to EC2 instance does not allow inbound traffic from all to TCP 27017 (MongoDB)
Policy ID: BC_AWS_NETWORKING_21

Ensure Security Group attached to EC2 instance does not allow inbound traffic from all to TCP 27018 (MongoDB)
Policy ID: BC_AWS_NETWORKING_22

Ensure Security Group attached to ELB instance does not allow inbound traffic from all to TCP 27017 (MongoDB)
Policy ID: BC_AWS_NETWORKING_23

Ensure Security Group attached to ELB instance does not allow inbound traffic from all to TCP 27018 (MongoDB)
Policy ID: BC_AWS_NETWORKING_24

Ensure Security Group attached to application load balancer instance does not allow inbound traffic from all to TCP 27017 (MongoDB)
Policy ID: BC_AWS_NETWORKING_25

Ensure Security Group attached to application load balancer instance does not allow inbound traffic from all to TCP 27018 (MongoDB)
Policy ID: BC_AWS_NETWORKING_26

Do not use default settings of a VPC
Policy ID: BC_AWS_NETWORKING_27

Ensure Internet-facing ELBs are whitelisted
Policy ID: BC_AWS_NETWORKING_28

Ensure ALB protocol is HTTPS
Violation ID: BC_AWS_NETWORKING_29

Ensure every Security Group rule has a description
Policy ID: BC_AWS_NETWORKING_31

Ensure CloudFront distribution ViewerProtocolPolicy is set to HTTPS
Policy ID: BC_AWS_NETWORKING_32

Ensure CloudFront distributions do not use deprecated SSL protocols
Policy ID: BC_AWS_NETWORKING_33

Ensure ELBs do not allow insecure SSL protocols or ciphers
Policy ID: BC_AWS_NETWORKING_34

Ensure EC2 instances behind load balancers are not publicly accessible
Policy ID: BC_AWS_NETWORKING_35

Ensure ELBs use SSL listeners
Policy ID: BC_AWS_NETWORKING_36

Ensure DocDB TLS is not disabled
Policy ID: BC_AWS_NETWORKING_37

Ensure AWS SageMaker notebook instance is configured with direct internet access feature
Policy ID: BC_AWS_NETWORKING_38

VPC endpoint service is configured for manual acceptance
Policy ID: BC_AWS_NETWORKING_39

Ensure Amazon EMR clusters' security groups are not open to the world
Policy ID: BC_AWS_NETWORKING_40

Ensure that ALB drops HTTP headers
Policy ID: BC_AWS_NETWORKING_41

Ensure that Elasticsearch is configured inside a VPC
Policy ID: BC_AWS_NETWORKING_42

Ensure ELB has cross-zone-load-balancing enabled
Policy ID: BC_AWS_NETWORKING_43

AWS Redshift Clusters Should Not Be Publicly Accessible
Policy ID: BC_AWS_NETWORKING_44

Ensure auto scaling groups associated with a load balancer use elastic load balancing health checks
Policy ID: BC_AWS_NETWORKING_46

Ensure AWS EC2 instance is configured with VPC
Policy ID: BC_AWS_NETWORKING_47

Ensure all EIP addresses allocated to a VPC are attached to EC2 instances or NAT Gateways
Policy ID: BC_AWS_NETWORKING_48

Ensure ALB redirects HTTP requests into HTTPS ones
Policy ID: BC_AWS_NETWORKING_49

Ensure all NACL are attached to subnets
Policy ID: BC_AWS_NETWORKING_50

Ensure Security Groups are attached to EC2 instances or ENIs
Policy ID: BC_AWS_NETWORKING_51

Ensure S3 Bucket has public access blocks
Policy ID: BC_AWS_NETWORKING_52

Ensure VPC subnets do not assign public IP by default
Policy ID: BC_AWS_NETWORKING_53

Ensure no default VPC is planned to be provisioned
Policy ID: BC_AWS_NETWORKING_54

Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled
Policy ID: BC_AWS_NETWORKING_55

Ensure Redshift is not deployed outside of a VPC
Policy ID: BC_AWS_NETWORKING_56

Ensure Transfer Server is not exposed publicly
Policy ID: BC_AWS_NETWORKING_57

Ensure public facing ALB are protected by WAF
Policy ID: BC_AWS_NETWORKING_58

Ensure public API gateway are protected by WAF
Policy ID: BC_AWS_NETWORKING_59

Security Group modifications detected
Policy ID: BC_AWS_ALERT_3