Benchmark: 11.10(d) Limiting system access to authorized individuals
Description
Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (d) Limiting system access to authorized individuals.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select 11.10(d) Limiting system access to authorized individuals.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.gxp_21_cfr_part_11_11_10_dSnapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.gxp_21_cfr_part_11_11_10_d --shareControls
- AWS account should be part of AWS Organizations
- DMS replication instances should not be publicly accessible
- DynamoDB table should be encrypted with AWS KMS
- Attached EBS volumes should have encryption enabled
- EBS snapshots should not be publicly restorable
- EBS encryption by default should be enabled
- EC2 instances should have IAM profile attached
- EC2 instances should be in a VPC
- EC2 instances should not have a public IP address
- EC2 instances should use IMDSv2
- ECS task definition container definitions should be checked for host mode
- EFS file system encryption at rest should be enabled
- EMR cluster Kerberos should be enabled
- EMR cluster master nodes should not have public IP addresses
- ES domain encryption at rest should be enabled
- ES domains should be in a VPC
- Elasticsearch domain node-to-node encryption should be enabled
- IAM password policies for users should have strong configurations
- Ensure IAM policy should not grant full access to service
- IAM groups should have at least one user
- IAM groups, users, and roles should not have any inline policies
- IAM AWS managed policies should be attached to IAM role
- Ensure managed IAM policies should not allow blocked actions on KMS keys
- Ensure inline policies attached to IAM users, roles, and groups should not allow blocked actions on KMS keys
- IAM policy should not have statements with admin access
- IAM root user hardware MFA should be enabled
- IAM root user MFA should be enabled
- IAM root user should not have access keys
- IAM user access keys should be rotated at least every 90 days
- IAM users with console access should have MFA enabled
- IAM users should be in at least one group
- IAM user MFA should be enabled
- IAM user should not have any inline or attached policies
- IAM user credentials that have not been used in 90 days should be disabled
- Lambda functions should be in a VPC
- Lambda functions should restrict public access
- RDS DB instances should prohibit public access
- RDS snapshots should prohibit public access
- Redshift clusters should prohibit public access
- S3 bucket policy should prohibit public access
- S3 buckets should prohibit public read access
- S3 buckets should prohibit public write access
- S3 public access should be blocked at account level
- S3 public access should be blocked at bucket levels
- SageMaker notebook instances should not have direct internet access
- Secrets Manager secrets should have automatic rotation enabled
- Secrets Manager secrets should be rotated as per the rotation schedule
- SSM documents should not be public
- VPC default security group should not allow inbound and outbound traffic
- VPC internet gateways should be attached to authorized vpc
- VPC route table should restrict public access to IGW
- VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
- VPC security groups should restrict ingress SSH access from 0.0.0.0/0
- VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0
- VPC subnet auto assign public IP should be disabled