Benchmark: 11.10(e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records
Description
Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select 11.10(e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.gxp_21_cfr_part_11_11_10_eSnapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.gxp_21_cfr_part_11_11_10_e --shareControls
- API Gateway stage logging should be enabled
- At least one multi-region AWS CloudTrail should be present in an account
- All S3 buckets should log S3 data events in CloudTrail
- At least one enabled trail should be present in a region
- CloudTrail trails should be integrated with CloudWatch logs
- Log group retention period should be at least 365 days
- DynamoDB tables should be in a backup plan
- DynamoDB table point-in-time recovery should be enabled
- EBS volumes should be in a backup plan
- EC2 instance should have EBS optimization enabled
- EFS file systems should be in a backup plan
- ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater
- ELB application and classic load balancer logging should be enabled
- Elasticsearch domain should send logs to CloudWatch
- OpenSearch domains should have audit logging enabled.
- OpenSearch domains logs to AWS CloudWatch Logs
- RDS DB instance backup should be enabled
- RDS DB instances should be in a backup plan
- Database logging should be enabled
- AWS Redshift audit logging should be enabled
- AWS Redshift clusters should have automatic snapshots enabled
- Redshift cluster audit logging and encryption should be enabled
- S3 bucket cross-region replication should be enabled
- S3 bucket logging should be enabled
- S3 bucket versioning should be enabled
- VPC flow logs should be enabled
- Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs)