npm - @cyberstrike-io/cyberstrike - Versions diffs - 1.1.9 → 1.1.10-beta.1 - Mend

@cyberstrike-io/cyberstrike 1.1.9 → 1.1.10-beta.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (568) hide show

package/skill/CIS_benchmarks/AWS/CIS_AWS_Storage_Services_Benchmark_v1.0.0/cis-aws-storage-3.11/SKILL.md ADDED Viewed

@@ -0,0 +1,132 @@
+---
+name: cis-aws-storage-3.11
+description: "Ensure accessing Points and IAM Policies for EFS"
+category: cis-storage-services
+version: "1.0.0"
+author: cyberstrike-official
+tags: [cis, aws, storage, efs, iam, access-points, elasticfilesystem, access-control]
+cis_id: "3.11"
+cis_benchmark: "CIS AWS Storage Services Benchmark v1.0.0"
+tech_stack: [aws]
+cwe_ids: []
+chains_with: [cis-aws-storage-3.10]
+prerequisites: []
+severity_boost: {}
+---
+# 3.11 Ensure accessing Points and IAM Policies (Manual)
+## Profile Applicability
+- Level 2
+## Description
+You can use IAM policies to control access to your EFS access points. To achieve this, utilize the `elasticfilesystem:AccessPointArn` IAM condition key. The `AccessPointArn` represents the Amazon Resource Name (ARN) of the access point that the file system is mounted with.
+## Rationale
+The rationale for using IAM policies with the `elasticfilesystem:AccessPointArn` condition key is to ensure precise and secure access control to EFS access points. By specifying the access point's ARN, you can restrict interactions to authorized users and resources only, thereby enhancing data security and preventing unauthorized access. This approach maintains the integrity and confidentiality of your data within the AWS environment.
+## Impact
+Without using IAM policies with the `elasticfilesystem:AccessPointArn` condition key, access control to EFS access points becomes less precise, increasing the risk of unauthorized access. This lack of granular control can lead to potential security breaches, data exposure, and compliance violations. Consequently, your organization may face data integrity issues, financial losses, and damage to its reputation.
+## Audit Procedure
+### Console
+Below is a sample IAM policy copied from the AWS documentation:
+```json
+{
+  "Version": "2012-10-17",
+  "Id": "MyFileSystemPolicy",
+  "Statement": [
+    {
+      "Sid": "App1Access",
+      "Effect": "Allow",
+      "Principal": { "AWS": "arn:aws:iam::111122223333:role/app1" },
+      "Action": ["elasticfilesystem:ClientMount", "elasticfilesystem:ClientWrite"],
+      "Condition": {
+        "StringEquals": {
+          "elasticfilesystem:AccessPointArn": "arn:aws:elasticfilesystem:us-east-1:222233334444:access-point/fsap-01234567"
+        }
+      }
+    },
+    {
+      "Sid": "App2Access",
+      "Effect": "Allow",
+      "Principal": { "AWS": "arn:aws:iam::111122223333:role/app2" },
+      "Action": ["elasticfilesystem:ClientMount", "elasticfilesystem:ClientWrite"],
+      "Condition": {
+        "StringEquals": {
+          "elasticfilesystem:AccessPointArn": "arn:aws:elasticfilesystem:us-east-1:222233334444:access-point/fsap-89abcdef"
+        }
+      }
+    }
+  ]
+}
+```
+This policy demonstrates:
+- Using the `elasticfilesystem:AccessPointArn` condition to restrict access to specific access points
+- Granting `ClientMount` and `ClientWrite` permissions to specific IAM roles
+- Associating different roles with different access points
+## Expected Result
+- IAM policies should use the `elasticfilesystem:AccessPointArn` condition key
+- Policies should restrict access to specific access points via their ARN
+- Only authorized principals should have ClientMount and ClientWrite permissions
+- Each access point should have appropriate IAM policy restrictions
+## Remediation
+### Console
+Implement IAM policies that use the `elasticfilesystem:AccessPointArn` condition key:
+1. Create or update IAM policies for EFS access
+2. Include the `elasticfilesystem:AccessPointArn` condition key
+3. Specify the ARN of the access point in the condition
+4. Grant only necessary permissions (ClientMount, ClientWrite, etc.)
+5. Assign policies to appropriate IAM roles/users
+6. Review and test access control regularly
+Example policy structure:
+```json
+{
+  "Effect": "Allow",
+  "Principal": { "AWS": "arn:aws:iam::ACCOUNT:role/ROLE" },
+  "Action": ["elasticfilesystem:ClientMount", "elasticfilesystem:ClientWrite"],
+  "Condition": {
+    "StringEquals": {
+      "elasticfilesystem:AccessPointArn": "arn:aws:elasticfilesystem:REGION:ACCOUNT:access-point/ACCESS_POINT_ID"
+    }
+  }
+}
+```
+## Default Value
+By default, no IAM policies are automatically created for EFS access points. Users must explicitly create and configure IAM policies with appropriate condition keys to control access.
+## References
+1. https://docs.aws.amazon.com/efs/latest/ug/efs-access-points.html
+## CIS Controls
+| Controls Version | Control                                                                                                                                                                                                                                                                                                                                                                                                                        | IG 1 | IG 2 | IG 3 |
+| ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---- | ---- | ---- |
+| v8               | 3.3 Configure Data Access Control Lists<br/>Configure data access control lists based on a user's need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.                                                                                                                                                                              | ●    | ●    | ●    |
+| v8               | 6.8 Define and Maintain Role-Based Access Control<br/>Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently. |      |      | ●    |
+| v7               | 1.7 Deploy Port Level Access Control<br/>Utilize port level access control, following 802.1x standards, to control which devices can authenticate to the network. The authentication system shall be tied into the hardware asset inventory data to ensure only authorized devices can connect to the network.                                                                                                                 |      | ●    | ●    |
+| v7               | 14.6 Protect Information through Access Control Lists<br/>Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.                       | ●    | ●    | ●    |
+## Profile
+Level 2

package/skill/CIS_benchmarks/AWS/CIS_AWS_Storage_Services_Benchmark_v1.0.0/cis-aws-storage-3.12/SKILL.md ADDED Viewed

@@ -0,0 +1,98 @@
+---
+name: cis-aws-storage-3.12
+description: "Ensure configuring IAM for AWS Elastic Disaster Recovery"
+category: cis-storage-services
+version: "1.0.0"
+author: cyberstrike-official
+tags: [cis, aws, storage, efs, disaster-recovery, iam, drs, replication, failback]
+cis_id: "3.12"
+cis_benchmark: "CIS AWS Storage Services Benchmark v1.0.0"
+tech_stack: [aws]
+cwe_ids: []
+chains_with: []
+prerequisites: []
+severity_boost: {}
+---
+# 3.12 Ensure configuring IAM for AWS Elastic Disaster Recovery (Manual)
+## Profile Applicability
+- Level 2
+## Description
+Before installing the AWS Elastic Disaster Recovery client, you need to configure AWS IAM permissions and users for both the AWS Replication and AWS Failback Client.
+## Rationale
+Configuring AWS IAM permissions and users before installing the AWS Elastic Disaster Recovery client ensures that the AWS Replication and AWS Failback Client have the necessary access rights. This setup is essential for maintaining security and preventing unauthorized access. Proper IAM configuration guarantees the smooth operation of disaster recovery processes, safeguarding your data and ensuring system reliability.
+## Impact
+Without proper IAM configuration for AWS Elastic Disaster Recovery, the AWS Replication and AWS Failback Client may lack the necessary access rights, leading to failed disaster recovery operations. This can result in data loss, prolonged downtime, and compromised system reliability. Additionally, inadequate IAM permissions increase the risk of unauthorized access, potentially exposing sensitive data and causing security breaches. Consequently, your organization may face significant operational disruptions, financial losses, and damage to its reputation.
+## Audit Procedure
+### Console
+To create DRS Agent User, follow following steps:
+1. Navigate to the AWS IAM Console - https://us-east-1.console.aws.amazon.com/iam/home?region=us-east-1#/home
+2. Create new user. This user will only be able to access the Elastic disaster recovery agent installation resource. Accordingly, name the user "DSRuser".
+3. Allow Programmatic access: This allows the user to access resources programmatically with a secure key rather than having to enter a password.
+4. Select "attach policies directly" and search for "AWSElasticDisasterRecoveryAgentInstallationPolicy".
+5. Create user.
+To create Failback Agent User, Follow the steps above with these two modifications:
+1. Name the user "FailbackAgentuser".
+2. Apply the "AWSElasticDisasterRecoveryFailbackInstallationPolicy".
+## Expected Result
+- IAM user "DSRuser" should be created with programmatic access
+- "AWSElasticDisasterRecoveryAgentInstallationPolicy" should be attached to DSRuser
+- IAM user "FailbackAgentuser" should be created with programmatic access
+- "AWSElasticDisasterRecoveryFailbackInstallationPolicy" should be attached to FailbackAgentuser
+- Both users should have appropriate access keys configured
+## Remediation
+### Console
+Configure IAM Credentials for AWS Elastic Disaster Recovery:
+1. **Create DRS Agent User**:
+   - Navigate to AWS IAM Console: https://us-east-1.console.aws.amazon.com/iam/home?region=us-east-1#/home
+   - Create new user named "DSRuser"
+   - Enable "Programmatic access"
+   - Attach policy: "AWSElasticDisasterRecoveryAgentInstallationPolicy"
+   - Create user and save access keys
+2. **Create Failback Agent User**:
+   - Create new user named "FailbackAgentuser"
+   - Enable "Programmatic access"
+   - Attach policy: "AWSElasticDisasterRecoveryFailbackInstallationPolicy"
+   - Create user and save access keys
+3. **Secure Access Keys**:
+   - Store access keys securely
+   - Rotate keys regularly
+   - Monitor usage via CloudTrail
+## Default Value
+By default, AWS does not create IAM users or attach policies for Elastic Disaster Recovery. Users must explicitly create these IAM users and attach the required managed policies.
+## References
+1. https://us-east-1.console.aws.amazon.com/iam/home?region=us-east-1#/home
+## CIS Controls
+This control does not have specific CIS Controls mappings in the original document, but it aligns with general IAM and disaster recovery best practices.
+## Profile
+Level 2

package/skill/CIS_benchmarks/AWS/CIS_AWS_Storage_Services_Benchmark_v1.0.0/cis-aws-storage-3.2/SKILL.md ADDED Viewed

@@ -0,0 +1,100 @@
+---
+name: cis-aws-storage-3.2
+description: "Ensure Implementation of EFS for managed file system deployment"
+category: cis-storage-services
+version: "1.0.0"
+author: cyberstrike-official
+tags: [cis, aws, storage, efs, file-system, automation, nfs]
+cis_id: "3.2"
+cis_benchmark: "CIS AWS Storage Services Benchmark v1.0.0"
+tech_stack: [aws]
+cwe_ids: []
+chains_with: [cis-aws-storage-3.1, cis-aws-storage-3.3, cis-aws-storage-3.7]
+prerequisites: []
+severity_boost: {}
+---
+# 3.2 Ensure Implementation of EFS (Manual)
+## Profile Applicability
+- Level 2
+## Description
+AWS EFS is a fully managed storage service that enables rapid file system deployment without the need for configuration, patching, or maintenance.
+## Rationale
+The rationale behind using AWS EFS is to simplify and expedite the deployment of file systems, eliminating the need for manual configuration, patching, and maintenance. This allows you to focus on other critical aspects of your operations while benefiting from a reliable, scalable, and fully managed storage solution.
+## Impact
+Not using AWS EFS can lead to increased complexity and time-consuming manual management for configuration, patching, and maintenance. This raises the risk of human error, system downtime, and data loss, while also making it more challenging to scale your file systems efficiently.
+## Audit Procedure
+### Console
+1. Navigate to console - https://us-east-1.console.aws.amazon.com/efs/home?region=us-east-1#/get-started
+2. Select "Create File System". Give the file system a name and select the default VPC. Select "Create".
+3. Encrypting data at rest - The EFS is encrypted automatically upon creation.
+4. Attach the EFS to an EC2 instance.
+5. Navigate to file system details - Select the radio box next to the file system that was just created and select "view details".
+6. Creating an NFS directory on your EC2 instance - Launch your EC2 instance. Once connected, Type following command:
+   ```
+   sudo mkdir efs
+   ```
+   to create a new efs directory.
+7. Mounting an NFS directory on your EC2 instance - Navigate to find your EC2 DNS information. Paste this command into the console after making the efs directory:
+   ```
+   sudo mount -t nfs -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport mount-target-DNS:/ ~/efs-mount-point
+   ```
+   NOTE: The encryption takes place as soon as you mount the directory. This encrypts the data in transit.
+8. Terminating the EC2 instance - The EFS file system that was just mounted doesn't persist on reboot. You can consult the AWS documentation to see how you can write a script to automatically mount the file system upon every reboot.
+## Expected Result
+- EFS file system should be created successfully
+- Encryption at rest should be enabled by default
+- NFS directory should be created and mounted on EC2 instance
+- Data should be encrypted in transit when mounting
+## Remediation
+### Console
+To remediate the issues of manual file system management, follow these steps to create and use Amazon EFS:
+1. **Open the Amazon EFS Console**: Sign in to the AWS Management Console and navigate to the Amazon EFS service.
+2. **Create a New File System**: Click on "Create file system" to start the setup process.
+3. **Configure Settings**: Select your desired VPC, availability zones, throughput mode, and any additional settings like lifecycle management.
+4. **Set Up Access Points**: Configure access points to control permissions and simplify access management.
+5. **Review and Create**: Verify your settings and click "Create" to finalize the file system setup.
+6. **Mount the File System**: Use the provided mount targets and instructions to attach the file system to your EC2 instances or other resources.
+## Default Value
+By default, AWS does not automatically create or configure EFS file systems. Users must explicitly create EFS file systems and configure encryption, which is enabled by default upon creation.
+## References
+1. https://aws.amazon.com/efs/
+## CIS Controls
+| Controls Version | Control                                                                                                                                                                                                                                                                                                                                                                                                                                                            | IG 1 | IG 2 | IG 3 |
+| ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---- | ---- | ---- |
+| v8               | 3.11 Encrypt Sensitive Data at Rest<br/>Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. |      | ●    | ●    |
+| v8               | 8.3 Ensure Adequate Audit Log Storage<br/>Ensure that logging destinations maintain adequate storage to comply with the enterprise's audit log management process.                                                                                                                                                                                                                                                                                                 | ●    | ●    | ●    |
+| v7               | 5.2 Maintain Secure Images<br/>Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.                                                                                                                                                                  |      | ●    | ●    |
+| v7               | 13.4 Only Allow Access to Authorized Cloud Storage or Email Providers<br/>Only allow access to authorized cloud storage or email providers.                                                                                                                                                                                                                                                                                                                        |      | ●    | ●    |
+## Profile
+Level 2

package/skill/CIS_benchmarks/AWS/CIS_AWS_Storage_Services_Benchmark_v1.0.0/cis-aws-storage-3.3/SKILL.md ADDED Viewed

@@ -0,0 +1,74 @@
+---
+name: cis-aws-storage-3.3
+description: "Ensure EFS and VPC Integration for redundancy and scalability"
+category: cis-storage-services
+version: "1.0.0"
+author: cyberstrike-official
+tags: [cis, aws, storage, efs, vpc, ec2, redundancy, scalability, availability]
+cis_id: "3.3"
+cis_benchmark: "CIS AWS Storage Services Benchmark v1.0.0"
+tech_stack: [aws]
+cwe_ids: []
+chains_with: [cis-aws-storage-3.1, cis-aws-storage-3.2, cis-aws-storage-3.7]
+prerequisites: []
+severity_boost: {}
+---
+# 3.3 Ensure EFS and VPC Integration (Manual)
+## Profile Applicability
+- Level 2
+## Description
+You can use EFS as a network file system across availability zones on a virtual private cloud. This capability allows the organization to create a highly available file sharing solution. Leveraging AWS VPC and EC2 in tandem with AWS EFS makes for a highly available and scalable cloud file storage solution.
+## Rationale
+Redundancy and scalability are crucial for maintaining uninterrupted services. By integrating these AWS services, users can harness the full power of AWS, ensuring a resilient and scalable infrastructure.
+## Impact
+Not integrating AWS services for redundancy and scalability can lead to service disruptions and increased downtime. This approach also limits your ability to efficiently handle growing workloads, negatively impacting performance and user experience.
+## Audit Procedure
+### Audit Procedures for AWS Redundancy and Scalability
+1. **Create Mount Targets in Each Availability Zone**: Ensure EFS is attached in each availability zone by creating mount targets in each subnet. Although multiple subnets can exist per availability zone, verify that EFS is configured to work with one subnet per zone to maintain redundancy.
+2. **Monitor EFS with CloudWatch**: Use AWS CloudWatch to automatically monitor your EFS service. Check that alarms are configured and logs and events are tracked effectively, providing real-time insights into the performance and health of your file systems.
+## Expected Result
+- Mount targets should exist in each availability zone
+- EFS should be configured for high availability across multiple subnets
+- CloudWatch monitoring should be enabled with appropriate alarms configured
+## Remediation
+### Console
+Create an EC2 instance in each availability zone within your VPC.
+## Default Value
+By default, AWS does not automatically create mount targets in all availability zones. Users must explicitly configure EFS mount targets for each desired availability zone to ensure redundancy.
+## References
+1. https://docs.aws.amazon.com/efs/latest/ug/how-it-works.html#how-it-works-conceptual
+## CIS Controls
+| Controls Version | Control                                                                                                                                                                                                                                                                                                                                                                                                                                                            | IG 1 | IG 2 | IG 3 |
+| ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---- | ---- | ---- |
+| v8               | 3.11 Encrypt Sensitive Data at Rest<br/>Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. |      | ●    | ●    |
+| v8               | 16.7 Use Standard Hardening Configuration Templates for Application Infrastructure<br/>Use standard, industry-recommended hardening configuration templates for application infrastructure components. This includes underlying servers, databases, and web servers, and applies to cloud containers, Platform as a Service (PaaS) components, and SaaS components. Do not allow in-house developed software to weaken configuration hardening.                    |      | ●    | ●    |
+| v7               | 13.4 Only Allow Access to Authorized Cloud Storage or Email Providers<br/>Only allow access to authorized cloud storage or email providers.                                                                                                                                                                                                                                                                                                                        |      | ●    | ●    |
+| v7               | 14.6 Protect Information through Access Control Lists<br/>Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.                                                           | ●    | ●    | ●    |
+## Profile
+Level 2

package/skill/CIS_benchmarks/AWS/CIS_AWS_Storage_Services_Benchmark_v1.0.0/cis-aws-storage-3.4/SKILL.md ADDED Viewed

@@ -0,0 +1,74 @@
+---
+name: cis-aws-storage-3.4
+description: "Ensure controlling Network access to EFS Services"
+category: cis-storage-services
+version: "1.0.0"
+author: cyberstrike-official
+tags: [cis, aws, storage, efs, network-security, security-groups, nacl, iam]
+cis_id: "3.4"
+cis_benchmark: "CIS AWS Storage Services Benchmark v1.0.0"
+tech_stack: [aws]
+cwe_ids: []
+chains_with: [cis-aws-storage-3.5, cis-aws-storage-3.6, cis-aws-storage-3.8]
+prerequisites: []
+severity_boost: {}
+---
+# 3.4 Ensure controlling Network access to EFS Services (Manual)
+## Profile Applicability
+- Level 2
+## Description
+It's important that you secure access to your resources on your AWS VPC network. There are several ways to ensure that control what traffic is accessing your resources. Some of which include tightening down network layer security using a Security Group and a NACL within the VPC console. You can also tighten down Security Groups within your EC2 console and by using AWS IAM. Maintaining network security is a high priority to ensure that no unauthorized users can access the data stored on your EFS service.
+## Rationale
+Maintaining network security is a best practice essential for keeping your data safe and secure.
+## Impact
+Failing to maintain network security can lead to significant vulnerabilities, exposing your data to unauthorized access, breaches, and potential data loss. This can result in severe financial, operational, and reputational damage to your organization.
+## Audit Procedure
+### Console
+Verify that appropriate network access controls are implemented for EFS services:
+1. Review Security Groups and Network ACLs
+2. Verify IAM policies restrict EFS access appropriately
+3. Ensure only authorized traffic can reach EFS mount targets
+## Expected Result
+- Security Groups should restrict inbound traffic to necessary ports only
+- Network ACLs should be configured to control traffic to/from subnets
+- IAM policies should enforce least privilege access to EFS
+- No unauthorized network paths to EFS resources
+## Remediation
+### Console
+Implement network security access controls.
+## Default Value
+By default, AWS EFS mount targets inherit the security group of the VPC. Additional network access controls must be explicitly configured by the user.
+## References
+1. https://docs.aws.amazon.com/efs/latest/ug/NFS-access-control-efs.html
+## CIS Controls
+| Controls Version | Control                                                                                                                                                                                                                                           | IG 1 | IG 2 | IG 3 |
+| ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---- | ---- | ---- |
+| v8               | 3.3 Configure Data Access Control Lists<br/>Configure data access control lists based on a user's need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. | ●    | ●    | ●    |
+## Profile
+Level 2

package/skill/CIS_benchmarks/AWS/CIS_AWS_Storage_Services_Benchmark_v1.0.0/cis-aws-storage-3.5/SKILL.md ADDED Viewed

@@ -0,0 +1,79 @@
+---
+name: cis-aws-storage-3.5
+description: "Ensure using Security Groups for VPC to control EFS traffic"
+category: cis-storage-services
+version: "1.0.0"
+author: cyberstrike-official
+tags: [cis, aws, storage, efs, security-groups, vpc, network-security, traffic-control]
+cis_id: "3.5"
+cis_benchmark: "CIS AWS Storage Services Benchmark v1.0.0"
+tech_stack: [aws]
+cwe_ids: []
+chains_with: [cis-aws-storage-3.4, cis-aws-storage-3.6, cis-aws-storage-3.8]
+prerequisites: []
+severity_boost: {}
+---
+# 3.5 Ensure using Security Groups for VPC (Manual)
+## Profile Applicability
+- Level 2
+## Description
+A security group controls the traffic that is allowed to reach and leave the resources that it is associated with. For example, after you associate a security group with an EC2 instance, it controls the inbound and outbound traffic for the instance.
+## Rationale
+Security groups act as virtual firewalls to control network traffic to EFS mount targets, ensuring only authorized traffic can access the file system.
+## Impact
+Without properly configured security groups, EFS mount targets may be exposed to unauthorized network access, potentially leading to data breaches or service disruptions.
+## Audit Procedure
+### Console
+1. Go to https://console.aws.amazon.com/vpc/
+2. Navigate to Security Groups and select on the VPC that houses your mount target.
+3. Ensure that incoming traffic is restricted to SSH access on port 22 using TCP protocol and outbound traffic is accepting all traffic.
+## Expected Result
+- Security Groups should be configured to allow only necessary inbound traffic (e.g., SSH on port 22)
+- Outbound traffic rules should be appropriately configured
+- Security Groups should follow least privilege principle
+## Remediation
+### Console
+Configure security groups to restrict traffic appropriately:
+1. Navigate to VPC console
+2. Select Security Groups
+3. Configure inbound rules to allow only necessary traffic (e.g., SSH on port 22 using TCP)
+4. Configure outbound rules as needed
+5. Apply security groups to EFS mount targets
+## Default Value
+By default, the default security group for a VPC allows all inbound traffic from instances assigned to the same security group and all outbound traffic. Custom security groups must be explicitly configured for EFS mount targets.
+## References
+1. https://console.aws.amazon.com/vpc/
+## CIS Controls
+| Controls Version | Control                                                                                                                                                                                                                                                                                                        | IG 1 | IG 2 | IG 3 |
+| ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---- | ---- | ---- |
+| v8               | 6.7 Centralize Access Control<br/>Centralize access control for all enterprise assets through a directory service or SSO provider, where supported.                                                                                                                                                            |      | ●    | ●    |
+| v8               | 13.9 Deploy Port-Level Access Control<br/>Deploy port-level access control. Port-level access control utilizes 802.1x, or similar network access control protocols, such as certificates, and may incorporate user and/or device authentication.                                                               |      |      | ●    |
+| v7               | 1.7 Deploy Port Level Access Control<br/>Utilize port level access control, following 802.1x standards, to control which devices can authenticate to the network. The authentication system shall be tied into the hardware asset inventory data to ensure only authorized devices can connect to the network. |      | ●    | ●    |
+## Profile
+Level 2