Networking Policies
How to Use this Page
This page lists the AWS Networking Policies that Bridgecrew helps you enforce. You can browse this page, or search for a specific policy ID or short title. For each policy, press the link for more details about a policy and its fix options.
Ensure AWS Security Group does not allow all traffic on SSH port 22
Policy ID: BC_AWS_NETWORKING_1
Ensure Security Groups do not allow ingress from 0.0.0.0/0 to port 3389
Policy ID: BC_AWS_NETWORKING_2
Ensure AWS Default Security Group restricts all traffic
Policy ID: BC_AWS_NETWORKING_4
Ensure VPC peering routing tables have least access
Policy ID: BC_AWS_NETWORKING_5
Ensure EC2 instances do not have security groups attached
Policy ID: BC_AWS_NETWORKING_6
Ensure AWS VPC endpoints are not exposed
Policy ID: BC_AWS_NETWORKING_9
Ensure Security Groups do not have unrestricted access
Policy ID: BC_AWS_NETWORKING_10
Ensure Security Groups accept traffic only from ports 80 and 443
Policy ID: BC_AWS_NETWORKING_11
Ensure EC2 instance does not have unrestricted security group attached
Policy ID: BC_AWS_NETWORKING_12
Ensure RDS database does not have unrestricted security group attached
Policy ID: BC_AWS_NETWORKING_13
Ensure network interface does not have unrestricted security group attached
Policy ID: BC_AWS_NETWORKING_14
Ensure classical load balancer does not have unrestricted security group attached
Policy ID: BC_AWS_NETWORKING_15
Ensure application load balancer does not have unrestricted security group attached
Policy ID: BC_AWS_NETWORKING_16
Ensure Security Group attached to EC2 instance does not allow inbound traffic from all to TCP port 9300 (Elasticsearch)
Policy ID: BC_AWS_NETWORKING_17
Ensure Security Group attached to EC2 instance does not allow inbound traffic from all to TCP port 5601 (Kibana)
Policy ID: BC_AWS_NETWORKING_18
Ensure Security Group attached to EC2 instance does not allow inbound traffic from all to TCP port 6379 (Redis)
Policy ID: BC_AWS_NETWORKING_19
Ensure Security Group attached to EC2 instance does not allow inbound traffic from all to TCP port 2379 (etcd)
Policy ID: BC_AWS_NETWORKING_20
Ensure Security Group attached to EC2 instance does not allow inbound traffic from all to TCP 27017 (MongoDB)
Policy ID: BC_AWS_NETWORKING_21
Ensure Security Group attached to EC2 instance does not allow inbound traffic from all to TCP 27018 (MongoDB)
Policy ID: BC_AWS_NETWORKING_22
Ensure Security Group attached to ELB instance does not allow inbound traffic from all to TCP 27017 (MongoDB)
Policy ID: BC_AWS_NETWORKING_23
Ensure Security Group attached to ELB instance does not allow inbound traffic from all to TCP 27018 (MongoDB)
Policy ID: BC_AWS_NETWORKING_24
Ensure Security Group attached to application load balancer instance does not allow inbound traffic from all to TCP 27017 (MongoDB)
Policy ID: BC_AWS_NETWORKING_25
Ensure Security Group attached to application load balancer instance does not allow inbound traffic from all to TCP 27018 (MongoDB)
Policy ID: BC_AWS_NETWORKING_26
Do not use default settings of a VPC
Policy ID: BC_AWS_NETWORKING_27
Ensure Internet-facing ELBs are whitelisted
Policy ID: BC_AWS_NETWORKING_28
Ensure ALB protocol is HTTPS
Violation ID: BC_AWS_NETWORKING_29
Ensure every Security Group rule has a description
Policy ID: BC_AWS_NETWORKING_31
Ensure CloudFront distribution ViewerProtocolPolicy is set to HTTPS
Policy ID: BC_AWS_NETWORKING_32
Ensure CloudFront distributions do not use deprecated SSL protocols
Policy ID: BC_AWS_NETWORKING_33
Ensure ELBs do not allow insecure SSL protocols or ciphers
Policy ID: BC_AWS_NETWORKING_34
Ensure EC2 instances behind load balancers are not publicly accessible
Policy ID: BC_AWS_NETWORKING_35
Ensure ELBs use SSL listeners
Policy ID: BC_AWS_NETWORKING_36
Ensure DocDB TLS is not disabled
Policy ID: BC_AWS_NETWORKING_37
Ensure AWS SageMaker notebook instance is configured with direct internet access feature
Policy ID: BC_AWS_NETWORKING_38
VPC endpoint service is configured for manual acceptance
Policy ID: BC_AWS_NETWORKING_39
Ensure Amazon EMR clusters' security groups are not open to the world
Policy ID: BC_AWS_NETWORKING_40
Ensure that ALB drops HTTP headers
Policy ID: BC_AWS_NETWORKING_41
Ensure that Elasticsearch is configured inside a VPC
Policy ID: BC_AWS_NETWORKING_42
Ensure ELB has cross-zone-load-balancing enabled
Policy ID: BC_AWS_NETWORKING_43
AWS Redshift Clusters Should Not Be Publicly Accessible
Policy ID: BC_AWS_NETWORKING_44
Ensure auto scaling groups associated with a load balancer use elastic load balancing health checks
Policy ID: BC_AWS_NETWORKING_46
Ensure AWS EC2 instance is configured with VPC
Policy ID: BC_AWS_NETWORKING_47
Ensure all EIP addresses allocated to a VPC are attached to EC2 instances or NAT Gateways
Policy ID: BC_AWS_NETWORKING_48
Ensure ALB redirects HTTP requests into HTTPS ones
Policy ID: BC_AWS_NETWORKING_49
Ensure all NACL are attached to subnets
Policy ID: BC_AWS_NETWORKING_50
Ensure Security Groups are attached to EC2 instances or ENIs
Policy ID: BC_AWS_NETWORKING_51
Ensure S3 Bucket has public access blocks
Policy ID: BC_AWS_NETWORKING_52
Ensure VPC subnets do not assign public IP by default
Policy ID: BC_AWS_NETWORKING_53
Ensure no default VPC is planned to be provisioned
Policy ID: BC_AWS_NETWORKING_54
Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled
Policy ID: BC_AWS_NETWORKING_55
Ensure Redshift is not deployed outside of a VPC
Policy ID: BC_AWS_NETWORKING_56
Ensure Transfer Server is not exposed publicly
Policy ID: BC_AWS_NETWORKING_57
Ensure public facing ALB are protected by WAF
Policy ID: BC_AWS_NETWORKING_58
Ensure public API gateway are protected by WAF
Policy ID: BC_AWS_NETWORKING_59
Security Group modifications detected
Policy ID: BC_AWS_ALERT_3
Updated about 2 years ago