Benchmark: 11.30 Controls for open systems
Description
Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, as appropriate, the confidentiality of electronic records from the point of their creation to the point of their receipt. Such procedures and controls shall include those identified in 11.10, as appropriate, and additional measures such as document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select 11.30 Controls for open systems.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.gxp_21_cfr_part_11_11_30Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.gxp_21_cfr_part_11_11_30 --shareControls
- API Gateway stage should uses SSL certificate
- API Gateway stage cache encryption at rest should be enabled
- Backup recovery points should be encrypted
- CloudFront distributions should encrypt traffic to custom origins
- CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins
- CloudTrail trail logs should be encrypted with KMS CMK
- CloudTrail trail log file validation should be enabled
- CodeBuild project artifact encryption should be enabled
- CodeBuild project S3 logs should be encrypted
- DynamoDB table should be encrypted with AWS KMS
- Attached EBS volumes should have encryption enabled
- EBS default encryption should be enabled
- EFS file system encryption at rest should be enabled
- ELB application load balancers should redirect HTTP requests to HTTPS
- ELB application and network load balancers should only use SSL or HTTPS listeners
- ELB classic load balancers should use SSL certificates
- ELB classic load balancers should only use SSL or HTTPS listeners
- ES domain encryption at rest should be enabled
- Elasticsearch domain node-to-node encryption should be enabled
- Kinesis streams should have server side encryption enabled
- KMS CMK rotation should be enabled
- KMS keys should not be pending deletion
- Log group encryption at rest should be enabled
- OpenSearch domains should have encryption at rest enabled
- OpenSearch domains should use HTTPS
- OpenSearch domains node-to-node encryption should be enabled
- RDS DB snapshots should be encrypted at rest
- Redshift cluster encryption in transit should be enabled
- Redshift cluster audit logging and encryption should be enabled
- AWS Redshift clusters should be encrypted with KMS
- S3 bucket default encryption should be enabled
- S3 bucket default encryption should be enabled with KMS
- S3 buckets should enforce SSL
- SageMaker endpoint configuration encryption should be enabled
- SageMaker notebook instance encryption should be enabled
- Secrets Manager secrets should be encrypted using CMK
- SNS topics should be encrypted at rest