Benchmark: ACSC-EE-ML2-7.7: Multi-factor authentication ML2
Description
Successful and unsuccessful multi-factor authentication events are logged.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select ACSC-EE-ML2-7.7: Multi-factor authentication ML2.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.acsc_essential_eight_ml_2_7_7Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.acsc_essential_eight_ml_2_7_7 --shareControls
- API Gateway REST API stages should have AWS X-Ray tracing enabled
- API Gateway stage logging should be enabled
- AppSync graphql API logging should be enabled
- CloudFront distributions access logs should be enabled
- At least one multi-region AWS CloudTrail should be present in an account
- All S3 buckets should log S3 data events in CloudTrail
- At least one enabled trail should be present in a region
- CodeBuild projects should have logging enabled
- DMS replication tasks for the source database should have logging enabled
- DMS replication tasks for the target database should have logging enabled
- EC2 Client VPN endpoints should have client connection logging enabled
- ECS task definitions should have logging enabled
- EKS clusters should have control plane audit logging enabled
- Elastic Beanstalk should stream logs to CloudWatch
- ELB application and classic load balancer logging should be enabled
- ELB classic load balancers should be configured with defensive or strictest desync mitigation mode
- Access logging should be configured for API Gateway V2 Stages
- Neptune DB clusters should publish audit logs to CloudWatch Logs
- Network Firewall logging should be enabled
- Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs
- An RDS event notifications subscription should be configured for critical cluster events
- An RDS event notifications subscription should be configured for critical database instance events
- Database logging should be enabled
- An RDS event notifications subscription should be configured for critical database parameter group events
- An RDS event notifications subscription should be configured for critical database security group events
- AWS Redshift audit logging should be enabled
- Redshift cluster audit logging and encryption should be enabled
- Route 53 zones should have query logging enabled
- S3 bucket logging should be enabled
- Step Functions state machines should have logging turned on
- VPC flow logs should be enabled
- WAF web ACL logging should be enabled
- Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs)