Benchmark: 3.12.1 Periodically assess the security controls in organizational systems to determine if the controls are effective in their application
Description
Organizations assess security controls in organizational systems and the environments in which those systems operate as part of the system development life cycle. Security controls are the safeguards or countermeasures organizations implement to satisfy security requirements. By assessing the implemented security controls, organizations determine if the security safeguards or countermeasures are in place and operating as intended. Security control assessments ensure that information security is built into organizational systems; identify weaknesses and deficiencies early in the development process; provide essential information needed to make risk-based decisions; and ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls as documented in system security plans.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select 3.12.1 Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.nist_800_171_rev_2_3_12_1Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.nist_800_171_rev_2_3_12_1 --shareControls
- Ensure the S3 bucket CloudTrail logs to is not publicly accessible
- CloudTrail trails should be enabled in all regions
- Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
- CloudTrail trails should be integrated with CloudWatch logs
- CloudTrail trail logs should be encrypted with KMS CMK
- CloudTrail trail log file validation should be enabled
- CloudWatch alarm should have an action configured
- AWS Config should be enabled
- EC2 instance detailed monitoring should be enabled
- GuardDuty should be enabled
- KMS CMK rotation should be enabled
- Ensure a log metric filter and alarm exist for S3 bucket policy changes
- Ensure a log metric filter and alarm exist for CloudTrail configuration changes
- Ensure a log metric filter and alarm exist for AWS Config configuration changes
- Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
- Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA
- Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys
- Ensure a log metric filter and alarm exist for IAM policy changes
- Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
- Ensure a log metric filter and alarm exist for changes to network gateways
- Ensure a log metric filter and alarm exist for usage of 'root' account
- Ensure a log metric filter and alarm exist for route table changes
- Ensure a log metric filter and alarm exist for security group changes
- Ensure a log metric filter and alarm exist for unauthorized API calls
- Ensure a log metric filter and alarm exist for VPC changes
- RDS DB instance and cluster enhanced monitoring should be enabled
- AWS Security Hub should be enabled for an AWS Account
- VPC flow logs should be enabled