Benchmark: 4.6 Securely Manage Enterprise Assets and Software
Description
Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled-infrastructure-as-code and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select 4.6 Securely Manage Enterprise Assets and Software.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.cis_controls_v8_ig1_4_6Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.cis_controls_v8_ig1_4_6 --shareControls
- AWS account should be part of AWS Organizations
- Auto Scaling groups with a load balancer should use health checks
- At least one multi-region AWS CloudTrail should be present in an account
- All S3 buckets should log S3 data events in CloudTrail
- CloudTrail trails should be integrated with CloudWatch logs
- CloudTrail trail logs should be encrypted with KMS CMK
- CloudTrail trail log file validation should be enabled
- Attached EBS volumes should have encryption enabled
- EBS default encryption should be enabled
- EC2 instances should have IAM profile attached
- IAM password policies for users should have strong configurations
- IAM groups, users, and roles should not have any inline policies
- IAM policy should not have statements with admin access
- IAM root user hardware MFA should be enabled
- IAM root user MFA should be enabled
- IAM root user should not have access keys
- IAM users with console access should have MFA enabled
- IAM users should be in at least one group
- IAM user should not have any inline or attached policies
- KMS CMK rotation should be enabled
- S3 bucket cross-region replication should be enabled
- S3 bucket default encryption should be enabled
- S3 buckets should enforce SSL
- S3 bucket logging should be enabled
- S3 buckets should prohibit public read access
- S3 buckets should prohibit public write access
- S3 public access should be blocked at account level
- VPC default security group should not allow inbound and outbound traffic
- VPC flow logs should be enabled
- VPC security groups should restrict ingress SSH access from 0.0.0.0/0