Benchmark: A1.2 The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives
Description
Identifies Environmental Threats - As part of the risk assessment process, management identifies environmental threats that could impair the availability of the system, including threats resulting from adverse weather, failure of environmental control systems, electrical discharge, fire, and water.
Designs Detection Measures - Detection measures are implemented to identify anomalies that could result from environmental threat events.
Implements and Maintains Environmental Protection Mechanisms - Management implements and maintains environmental protection mechanisms to prevent and mitigate against environmental events.
Implements Alerts to Analyze Anomalies - Management implements alerts that are communicated to personnel for analysis to identify environmental threat events.
Responds to Environmental Threat Events - Procedures are in place for responding to environmental threat events and for evaluating the effectiveness of those policies and procedures on a periodic basis. This includes automatic mitigation systems (for example, uninterruptable power system and generator back-up subsystem).
Communicates and Reviews Detected Environmental Threat Events - Detected environmental threat events are communicated to and reviewed by the individuals responsible for the management of the system, and actions are taken, if necessary.
Determines Data Requiring Backup - Data is evaluated to determine whether backup is required.
Performs Data Backup - Procedures are in place for backing up data, monitoring to detect back-up failures, and initiating corrective action when such failures occur.
Addresses Offsite Storage - Back-up data is stored in a location at a distance from its principal storage location sufficient that the likelihood of a security or environmental threat event affecting both sets of data is reduced to an appropriate level.
Implements Alternate Processing Infrastructure - Measures are implemented for migrating processing to alternate infrastructure in the event normal processing infrastructure becomes unavailable.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select A1.2 The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.soc_2_a_1_2Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.soc_2_a_1_2 --shareControls
- API Gateway stage logging should be enabled
- Backup plan min frequency and min retention check
- Backup recovery points should be encrypted
- Backup recovery points manual deletion should be disabled
- Backup recovery points should not expire before retention period
- At least one multi-region AWS CloudTrail should be present in an account
- At least one enabled trail should be present in a region
- CloudTrail trails should be integrated with CloudWatch logs
- DynamoDB tables should be in a backup plan
- DynamoDB table point-in-time recovery should be enabled
- DynamoDB table should be protected by backup plan
- EBS volumes should be in a backup plan
- EBS volumes should be protected by a backup plan
- EC2 instance should have EBS optimization enabled
- EC2 instances should be protected by backup plan
- EFS file systems should be in a backup plan
- EFS file systems should be protected by backup plan
- ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater
- ELB application and classic load balancer logging should be enabled
- FSx file system should be protected by backup plan
- RDS Aurora clusters should be protected by backup plan
- RDS DB instance backup should be enabled
- RDS DB instances should be in a backup plan
- Database logging should be enabled
- RDS DB instance should be protected by backup plan
- AWS Redshift clusters should have automatic snapshots enabled
- S3 bucket cross-region replication should be enabled
- S3 bucket versioning should be enabled
- WAF web ACL logging should be enabled
- Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs)