Benchmark: 7.1 Data Storage - Damage Protection
Description
Data should be secured by both physical and electronic means against damage. Stored data should be checked for accessibility, readability and accuracy. Access to data should be ensured throughout the retention period.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select 7.1 Data Storage - Damage Protection.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.gxp_eu_annex_11_operational_phase_7_1Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.gxp_eu_annex_11_operational_phase_7_1 --shareControls
- API Gateway stage cache encryption at rest should be enabled
- CloudFront distributions should encrypt traffic to custom origins
- CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins
- CloudTrail trail logs should be encrypted with KMS CMK
- CodeBuild project artifact encryption should be enabled
- CodeBuild project S3 logs should be encrypted
- DynamoDB Accelerator (DAX) clusters should be encrypted at rest
- DynamoDB table should be encrypted with AWS KMS
- DynamoDB table should have encryption enabled
- DynamoDB tables should be in a backup plan
- DynamoDB table point-in-time recovery should be enabled
- Attached EBS volumes should have encryption enabled
- EBS volumes should be in a backup plan
- EBS encryption by default should be enabled
- EC2 instance should have EBS optimization enabled
- EFS file system encryption at rest should be enabled
- EFS file systems should be in a backup plan
- EKS clusters should be configured to have kubernetes secrets encrypted using KMS
- ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater
- ELB application and network load balancers should only use SSL or HTTPS listeners
- ES domain encryption at rest should be enabled
- Kinesis streams should have server side encryption enabled
- Log group encryption at rest should be enabled
- OpenSearch domains should have encryption at rest enabled
- OpenSearch domains should use HTTPS
- OpenSearch domains node-to-node encryption should be enabled
- RDS DB instance backup should be enabled
- RDS DB instance encryption at rest should be enabled
- RDS DB instances should be in a backup plan
- RDS DB snapshots should be encrypted at rest
- AWS Redshift clusters should have automatic snapshots enabled
- Redshift cluster audit logging and encryption should be enabled
- S3 bucket cross-region replication should be enabled
- S3 bucket default encryption should be enabled
- S3 bucket default encryption should be enabled with KMS
- S3 bucket versioning should be enabled
- SageMaker endpoint configuration encryption should be enabled
- SageMaker notebook instance encryption should be enabled
- Secrets Manager secrets should be encrypted using CMK
- SNS topics should be encrypted at rest