Benchmark: CC6.1 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives
Description
Identifies and Manages the Inventory of Information Assets - The entity identifies, inventories, classifies, and manages information assets.
Restricts Logical Access - Logical access to information assets, including hardware, data (at-rest, during processing, or in transmission), software, administrative authorities, mobile devices, output, and offline system components is restricted through the use of access control software and rule sets.
Identifies and Authenticates Users - Persons, infrastructure and software are identified and authenticated prior to accessing information assets, whether locally or remotely.
Considers Network Segmentation - Network segmentation permits unrelated portions of the entity's information system to be isolated from each other.
Manages Points of Access - Points of access by outside entities and the types of data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified, documented, and managed.
Restricts Access to Information Assets - Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access control rules for information assets.
Manages Identification and Authentication - Identification and authentication requirements are established, documented, and managed for individuals and systems accessing entity information, infrastructure and software.
Manages Credentials for Infrastructure and Software - New internal and external infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed and access is disabled when access is no longer required or the infrastructure and software are no longer in use.
Uses Encryption to Protect Data - The entity uses encryption to supplement other measures used to protect data-at-rest, when such protections are deemed appropriate based on assessed risk.
Protects Encryption Keys - Processes are in place to protect encryption keys during generation, storage, use, and destruction.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select CC6.1 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.soc_2_cc_6_1Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.soc_2_cc_6_1 --shareControls
- ACM certificates should not expire within 30 days
- API Gateway stage cache encryption at rest should be enabled
- CloudTrail trail logs should be encrypted with KMS CMK
- DMS replication instances should not be publicly accessible
- Attached EBS volumes should have encryption enabled
- EBS snapshots should not be publicly restorable
- EBS default encryption should be enabled
- EC2 instances should be in a VPC
- EC2 instances should not have a public IP address
- EC2 instances should be managed by AWS Systems Manager
- EFS file system encryption at rest should be enabled
- ELB application load balancers should be drop HTTP headers
- ELB application load balancers should redirect HTTP requests to HTTPS
- ELB application load balancers should have Web Application Firewall (WAF) enabled
- ELB classic load balancers should use SSL certificates
- ELB classic load balancers should only use SSL or HTTPS listeners
- EMR cluster Kerberos should be enabled
- EMR cluster master nodes should not have public IP addresses
- ES domain encryption at rest should be enabled
- ES domains should be in a VPC
- Elasticsearch domain node-to-node encryption should be enabled
- IAM password policies for users should have strong configurations
- IAM groups should have at least one user
- IAM groups, users, and roles should not have any inline policies
- IAM policy should not have statements with admin access
- IAM root user should not have access keys
- IAM user access keys should be rotated at least every 90 days
- IAM users should be in at least one group
- IAM user should not have any inline or attached policies
- IAM user credentials that have not been used in 90 days should be disabled
- KMS keys should not be pending deletion
- Lambda functions should be in a VPC
- Lambda functions should restrict public access
- Log group encryption at rest should be enabled
- RDS DB instance encryption at rest should be enabled
- RDS DB instances should prohibit public access
- RDS DB snapshots should be encrypted at rest
- RDS snapshots should prohibit public access
- Redshift cluster encryption in transit should be enabled
- Redshift cluster audit logging and encryption should be enabled
- Redshift clusters should prohibit public access
- S3 bucket default encryption should be enabled
- S3 buckets should enforce SSL
- S3 bucket logging should be enabled
- S3 bucket object lock should be enabled
- S3 bucket policy should prohibit public access
- S3 buckets should prohibit public read access
- S3 buckets should prohibit public write access
- S3 public access should be blocked at account level
- SageMaker endpoint configuration encryption should be enabled
- SageMaker notebook instances should not have direct internet access
- SageMaker notebook instance encryption should be enabled
- Secrets Manager secrets should have automatic rotation enabled
- Secrets Manager secrets should be rotated as per the rotation schedule
- SNS topics should be encrypted at rest
- SSM managed instance associations should be compliant
- VPC default security group should not allow inbound and outbound traffic
- VPC EIPs should be associated with an EC2 instance or ENI
- VPC security groups should be associated with at least one ENI
- VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
- VPC security groups should restrict ingress SSH access from 0.0.0.0/0
- VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0