Benchmark: BP02 Analyze logs, findings, and metrics centrally
Description
Security operations teams rely on the collection of logs and the use of search tools to discover potential events of interest, which might indicate unauthorized activity or unintentional change. However, simply analyzing collected data and manually processing information is insufficient to keep up with the volume of information flowing from complex architectures. Analysis and reporting alone don’t facilitate the assignment of the right resources to work an event in a timely fashion.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-well-architected
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select BP02 Analyze logs, findings, and metrics centrally.
Run this benchmark in your terminal:
powerpipe benchmark run aws_well_architected.benchmark.well_architected_framework_sec04_bp02
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_well_architected.benchmark.well_architected_framework_sec04_bp02 --share
Controls
- Elasticsearch domain should send logs to CloudWatch
- At least one multi-region AWS CloudTrail should be present in an account
- Database logging should be enabled
- VPC flow logs should be enabled
- Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs)
- At least one trail should be enabled with security best practices
- AWS Redshift audit logging should be enabled
- AWS Config should be enabled