Benchmark: Article 25 Data protection by design and by default
To obtain the latest version of the official guide, please visit https://gdpr-info.eu/art-25-gdpr/.
Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons.
An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select Article 25 Data protection by design and by default.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.article_25
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.article_25 --share
Controls
- Ensure the S3 bucket CloudTrail logs to is not publicly accessible
- At least one multi-region AWS CloudTrail should be present in an account
- Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
- CloudTrail trails should be integrated with CloudWatch logs
- CloudTrail trail logs should be encrypted with KMS CMK
- CloudTrail trail log file validation should be enabled
- AWS Config should be enabled
- Ensure IAM password policy requires a minimum length of 14 or greater
- Ensure IAM password policy requires at least one lowercase letter
- Ensure IAM password policy requires at least one number
- Ensure IAM password policy requires at least one symbol
- Ensure IAM password policy requires at least one uppercase letter
- Ensure IAM password policy prevents password reuse
- IAM password policies for users should have strong configurations
- Ensure IAM password policy expires passwords within 90 days or less
- IAM policy should not have statements with admin access
- IAM root user hardware MFA should be enabled
- IAM root user MFA should be enabled
- IAM root user should not have access keys
- Ensure a support role has been created to manage incidents with AWS Support
- IAM user access keys should be rotated at least every 90 days
- IAM users with console access should have MFA enabled
- IAM user should not have any inline or attached policies
- IAM user credentials that have not been used in 90 days should be disabled
- KMS CMK rotation should be enabled
- Ensure a log metric filter and alarm exist for S3 bucket policy changes
- Ensure a log metric filter and alarm exist for CloudTrail configuration changes
- Ensure a log metric filter and alarm exist for AWS Config configuration changes
- Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
- Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA
- Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys
- Ensure a log metric filter and alarm exist for IAM policy changes
- Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
- Ensure a log metric filter and alarm exist for changes to network gateways
- Ensure a log metric filter and alarm exist for usage of 'root' account
- Ensure a log metric filter and alarm exist for route table changes
- Ensure a log metric filter and alarm exist for security group changes
- Ensure a log metric filter and alarm exist for unauthorized API calls
- Ensure a log metric filter and alarm exist for VPC changes
- VPC flow logs should be enabled