Benchmark: 2 Logging
Overview
This section contains recommendations for configuring AWS's account logging features.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select 2 Logging.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.cis_v120_2Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.cis_v120_2 --shareControls
- 2.1 Ensure CloudTrail is enabled in all regions
- 2.2 Ensure CloudTrail log file validation is enabled.
- 2.3 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible
- 2.4 Ensure CloudTrail trails are integrated with CloudWatch Logs
- 2.5 Ensure AWS Config is enabled in all regions
- 2.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
- 2.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs
- 2.8 Ensure rotation for customer created CMKs is enabled
- 2.9 Ensure VPC flow logging is enabled in all VPCs