This requirement applies to inbound and outbound network communications traffic at the system boundary and at identified points within the system. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed. 

Priority: High

CategorySecurity Architecture

Services Associated with AWS:

  1. Amazon VPC
  2. AWS Network Firewall
  3. AWS WAF
  4. AWS Security Groups
  5. Amazon GuardDuty

Objective Evidence:

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate how IT Asset Management  (ITAM) is implemented
  • Administrative: supporting documentation to demonstrate the ""secure practices"" used to build technology platform-specific secure baseline configurations
  • Technical: screen shot of Configuration Management Database (CMDB) console
  • Technical: screen shot of firewall configurations"

Possible Technology Considerations

  • Access Control List (ACL)

What needs to be answered?

Are all business need exceptions to network communications traffic (inbound/outbound) “deny all” policies documented? Does the system deny network traffic by default and allow network traffic by exception?

  • Deny-By-Default Network Communications
    Description This check confirms that the network communications traffic is denied by default, and only permitted traffic is explicitly defined and allowed. This applies to both inbound and outbound traffic at the system boundary and within the system.
  • Allow-By-Exception Network Communications
    Description This check ensures that a deny-all, permit-by-exception policy is implemented, meaning only essential and approved network communications are allowed.
  • Network Communications Traffic Control
    Description This check verifies that robust control measures are in place for network communications traffic, including monitoring, blocking, and allowing specific traffic based on defined policies.

More Details:

Connections set to deny all rules unless provided with specific access credentials.