Benchmark: 3.8.9 Protect the confidentiality of backup CUI at storage locations
Description
Organizations can employ cryptographic mechanisms or alternative physical controls to protect the confidentiality of backup information at designated storage locations. Backed-up information containing CUI may include system-level information and user-level information. System-level information includes system-state information, operating system software, application software, and licenses. User-level information includes information other than system-level information.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select 3.8.9 Protect the confidentiality of backup CUI at storage locations.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.nist_800_171_rev_2_3_8_9
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.nist_800_171_rev_2_3_8_9 --share
Controls
- Backup plan min frequency and min retention check
- Backup recovery points should be encrypted
- Backup recovery points manual deletion should be disabled
- Backup recovery points should not expire before retention period
- DynamoDB tables should be in a backup plan
- DynamoDB table point-in-time recovery should be enabled
- DynamoDB table should be protected by backup plan
- EBS volumes should be in a backup plan
- EBS volumes should be protected by a backup plan
- EC2 instances should be protected by backup plan
- EFS file systems should be in a backup plan
- EFS file systems should be protected by backup plan
- ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater
- FSx file system should be protected by backup plan
- RDS Aurora clusters should be protected by backup plan
- RDS DB instance backup should be enabled
- RDS DB instances should be in a backup plan
- RDS DB instance should be protected by backup plan
- AWS Redshift clusters should have automatic snapshots enabled
- S3 bucket cross-region replication should be enabled