Benchmark: 4 Logging
Overview
This section contains recommendations for configuring AWS logging features
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select 4 Logging.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.cis_v600_4
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.cis_v600_4 --share
Controls
- 4.1 Ensure CloudTrail is enabled in all regions
- 4.2 Ensure CloudTrail log file validation is enabled
- 4.3 Ensure AWS Config is enabled in all regions
- 4.4 Ensure that server access logging is enabled on the CloudTrail S3 bucket
- 4.5 Ensure CloudTrail logs are encrypted at rest using KMS CMKs
- 4.6 Ensure rotation for customer-created symmetric CMKs is enabled
- 4.7 Ensure VPC flow logging is enabled in all VPCs
- 4.8 Ensure that object-level logging for write events is enabled for S3 buckets
- 4.9 Ensure that object-level logging for read events is enabled for S3 buckets