This control focuses on using firewalls and internet gateways to restrict inbound and outbound connections, reduce exposed services, and prevent unnecessary access to devices and networks. In Cyber Essentials terms, firewall rules should be deliberate, documented, and limited to genuine business need.
Cloudfront Distributions that do not use an S3 Origin Identity require the S3 bucket to use website hosting, splitting access controls across S3 and Cloudfront as well as implementing unencrypted …
Fully open security groups are wholly open to all of the internet including from geographic locations with no business benefits
Instances in public subnets without routes to a NAT require an Elastic IP to communicate externally exposing them directly to internet traffic. This is a diminished security posture compared to …
An EC2 instance that utilising a public IP address directly connects the instance to the internet leading to a vastly diminished security posture compared to available architectures utilising …
Cloudfront Distributions that do not use AWS WAF lack a number of security protections and tracking
Cloudfront Distributions are accepting traffic from all locations on the internet. This includes traffic from geographical regions which are unlikely to be business accessible.
