NIST 800-53 r5 · Controls catalogue · Family SC
SC-7Boundary Protection
Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; Implement subnetworks for publicly accessible system components that are {{ insert: param, sc-07_odp }} separated from internal organizational networks; and Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.
Last updated: 19 May 2026 14:18 UTC
Implementations targeting this control (27)
- aws-config-s3-bucket-public-read-prohibited S3 buckets prohibit public read access AWS::S3::Bucket partial protect enforce
- aws-config-s3-bucket-public-write-prohibited S3 buckets prohibit public write access AWS::S3::Bucket partial protect enforce CIS §2.1.4Hub S3.8
- aws-config-rds-instance-public-access-check RDS instances are not publicly accessible AWS::RDS::DBInstance partial protect enforce CIS v5 §2.2.3CIS v3 §2.3.3Hub RDS.2
- aws-config-rds-snapshots-public-prohibited RDS snapshots are not publicly restorable AWS::RDS::DBSnapshot partial recover enforce
- aws-config-incoming-ssh-disabled Security groups disallow unrestricted SSH ingress AWS::EC2::SecurityGroup encompass protect enforce
- aws-config-restricted-common-ports Restricted Common Ports AWS::EC2::SecurityGroup partial protect enforce CIS v5 §5.4CIS v3 §5.3Hub EC2.54
- aws-config-lambda-function-public-access-prohibited Lambda function policies prohibit public invocation AWS::Lambda::Function partial protect enforce
- aws-config-autoscaling-launch-config-public-ip-disabled Autoscaling Launch Config Public Ip Disabled AWS::AutoScaling::AutoScalingGroup partial protect enforce
- aws-config-dms-replication-not-public Dms Replication Not Public AWS::DMS::ReplicationInstance partial recover enforce
- aws-config-ebs-snapshot-public-restorable-check Ebs Snapshot Public Restorable Check AWS::EC2::Volume partial recover enforce
- aws-config-ec2-instance-no-public-ip Ec2 Instance No Public Ip AWS::EC2::Instance partial protect enforce
- aws-config-ec2-instances-in-vpc Ec2 Instances In Vpc AWS::EC2::Instance partial protect enforce
- aws-config-elasticsearch-in-vpc-only Elasticsearch In Vpc Only AWS::OpenSearchService::Domain partial protect enforce
- aws-config-emr-master-no-public-ip Emr Master No Public Ip AWS::EMR::Cluster partial protect enforce
- aws-config-lambda-inside-vpc Lambda Inside Vpc AWS::Lambda::Function partial protect enforce
- aws-config-no-unrestricted-route-to-igw No Unrestricted Route To Igw AWS::EC2::RouteTable partial protect enforce
- aws-config-opensearch-in-vpc-only Opensearch In Vpc Only AWS::OpenSearchService::Domain partial protect enforce
- aws-config-redshift-cluster-public-access-check Redshift Cluster Public Access Check AWS::Redshift::Cluster partial protect enforce
- aws-config-redshift-enhanced-vpc-routing-enabled Redshift Enhanced Vpc Routing Enabled AWS::Redshift::Cluster partial protect enforce
- aws-config-restricted-ssh Restricted Ssh AWS::EC2::SecurityGroup partial protect enforce CIS v5 §5.3CIS v3 §5.2Hub EC2.53
- aws-config-s3-account-level-public-access-blocks-periodic S3 Account Level Public Access Blocks Periodic AWS::S3::Bucket partial protect enforce CIS §2.1.4Hub S3.1
- aws-config-s3-bucket-level-public-access-prohibited S3 Bucket Level Public Access Prohibited AWS::S3::Bucket partial protect enforce
- aws-config-sagemaker-notebook-no-direct-internet-access Sagemaker Notebook No Direct Internet Access AWS::SageMaker::NotebookInstance partial protect enforce
- aws-config-ssm-document-not-public Ssm Document Not Public AWS::SSM::Document partial protect enforce
- aws-config-subnet-auto-assign-public-ip-disabled Subnet Auto Assign Public Ip Disabled AWS::EC2::Subnet partial protect enforce
- aws-config-vpc-default-security-group-closed Vpc Default Security Group Closed AWS::EC2::VPC partial protect enforce CIS v5 §5.5CIS v3 §5.4Hub EC2.2
- aws-config-vpc-sg-open-only-to-authorized-ports Vpc Sg Open Only To Authorized Ports AWS::EC2::VPC partial protect enforce
ATT&CK techniques this control mitigates (156)
- T1001 Data Obfuscation Command And Control
- T1001.001 Junk Data Command And Control
- T1001.002 Steganography Command And Control
- T1001.003 Protocol or Service Impersonation Command And Control
- T1008 Fallback Channels Command And Control
- T1020.001 Traffic Duplication Exfiltration
- T1021.001 Remote Desktop Protocol Lateral Movement
- T1021.002 SMB/Windows Admin Shares Lateral Movement
- T1021.003 Distributed Component Object Model Lateral Movement
- T1021.005 VNC Lateral Movement
- T1021.006 Windows Remote Management Lateral Movement
- T1029 Scheduled Transfer Exfiltration
- T1030 Data Transfer Size Limits Exfiltration
- T1036.008 Masquerade File Type Stealth
- T1041 Exfiltration Over C2 Channel Exfiltration
- T1046 Network Service Discovery Discovery
- T1048 Exfiltration Over Alternative Protocol Exfiltration
- T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol Exfiltration
- T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Exfiltration
- T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration
- T1055 Process Injection Stealth, Privilege Escalation
- T1055.001 Dynamic-link Library Injection Stealth, Privilege Escalation
- T1055.002 Portable Executable Injection Stealth, Privilege Escalation
- T1055.003 Thread Execution Hijacking Stealth, Privilege Escalation
- T1055.004 Asynchronous Procedure Call Stealth, Privilege Escalation
- T1055.005 Thread Local Storage Stealth, Privilege Escalation
- T1055.008 Ptrace System Calls Stealth, Privilege Escalation
- T1055.009 Proc Memory Stealth, Privilege Escalation
- T1055.011 Extra Window Memory Injection Stealth, Privilege Escalation
- T1055.012 Process Hollowing Stealth, Privilege Escalation
- T1055.013 Process Doppelgänging Stealth, Privilege Escalation
- T1055.014 VDSO Hijacking Stealth, Privilege Escalation
- T1068 Exploitation for Privilege Escalation Privilege Escalation
- T1071 Application Layer Protocol Command And Control
- T1071.001 Web Protocols Command And Control
- T1071.002 File Transfer Protocols Command And Control
- T1071.003 Mail Protocols Command And Control
- T1071.004 DNS Command And Control
- T1071.005 Publish/Subscribe Protocols Command And Control
- T1072 Software Deployment Tools Execution, Lateral Movement
- T1078 Valid Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1080 Taint Shared Content Lateral Movement
- T1090 Proxy Command And Control
- T1090.001 Internal Proxy Command And Control
- T1090.002 External Proxy Command And Control
- T1090.003 Multi-hop Proxy Command And Control
- T1095 Non-Application Layer Protocol Command And Control
- T1098 Account Manipulation Persistence, Privilege Escalation
- T1098.001 Additional Cloud Credentials Persistence, Privilege Escalation
- T1102 Web Service Command And Control
Weaknesses this control addresses (8)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-862 | Missing Authorization | 8,796 | Missing authorization for internal functions is mitigated by requiring all external access to traverse managed boundaries. |
CWE-284 | Improper Access Control | 4,905 | Boundary devices and interface controls directly enforce network-level access restrictions between spheres. |
CWE-863 | Incorrect Authorization | 3,303 | Incorrect authorization decisions are enforced or detected at external and key internal managed interfaces. |
CWE-918 | Server-Side Request Forgery (SSRF) | 2,947 | Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact. |
CWE-306 | Missing Authentication for Critical Function | 2,600 | Public components are isolated in separate subnetworks and critical internal functions are reachable only via controlled interfaces. |
CWE-285 | Improper Authorization | 1,252 | Communications are authorized only through managed boundary devices and segmented subnetworks. |
CWE-668 | Exposure of Resource to Wrong Sphere | 788 | Internal resources are kept in separate network spheres from externally accessible components. |
CWE-923 | Improper Restriction of Communication Channel to Intended Endpoints | 57 | The control explicitly requires that all external connections use managed boundary devices that restrict channels to intended endpoints. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2025-0108 KEV | 9.5 | 9.1 | 0.9412 | good |
CVE-2025-34221 | 2.2 | 9.8 | 0.0365 | good |
CVE-2025-7206 | 2.1 | 9.8 | 0.0295 | good |
CVE-2025-35051 UPD | 2.0 | 9.8 | 0.0033 | good |
CVE-2025-54304 | 2.0 | 9.8 | 0.0009 | good |
CVE-2026-23767 | 2.0 | 9.8 | 0.0007 | good |
CVE-2025-64123 | 2.0 | 9.8 | 0.0008 | good |
CVE-2025-34218 | 2.0 | 9.8 | 0.0073 | good |
CVE-2026-34205 | 1.9 | 9.6 | 0.0005 | good |
CVE-2021-4477 | 1.8 | 9.1 | 0.0000 | good |
CVE-2026-4475 UPD | 1.8 | 8.8 | 0.0003 | good |
CVE-2025-34202 | 1.8 | 8.8 | 0.0050 | good |
CVE-2026-27466 | 1.5 | 7.2 | 0.0018 | good |
CVE-2024-50954 | 1.5 | 7.5 | 0.0031 | good |
CVE-2026-26025 | 1.5 | 7.5 | 0.0009 | good |
CVE-2026-26024 | 1.5 | 7.5 | 0.0009 | good |
CVE-2026-25501 | 1.5 | 7.5 | 0.0008 | good |
CVE-2025-66049 | 1.5 | 7.5 | 0.0008 | good |
CVE-2026-27850 | 1.5 | 7.5 | 0.0005 | good |
CVE-2025-2747 KEV | 9.4 | 9.8 | 0.9093 | good |
CVE-2025-61882 KEV | 9.3 | 9.8 | 0.8880 | partial |
CVE-2025-53770 KEV | 9.3 | 9.8 | 0.8818 | good |
CVE-2025-1974 | 7.4 | 9.8 | 0.9113 | good |
CVE-2025-29927 | 7.3 | 9.1 | 0.9212 | good |
CVE-2026-35616 KEV | 6.6 | 9.8 | 0.4481 | good |