Benchmark: 164.308(a)(3)(i) Workforce security
Description
Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select 164.308(a)(3)(i) Workforce security.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.hipaa_final_omnibus_security_rule_2013_164_308_a_3_i
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.hipaa_final_omnibus_security_rule_2013_164_308_a_3_i --share
Controls
- Auto Scaling launch config public IP should be disabled
- CodeBuild project plaintext environment variables should not contain sensitive AWS values
- CodeBuild GitHub or Bitbucket source repository URLs should use OAuth
- DMS replication instances should not be publicly accessible
- EBS snapshots should not be publicly restorable
- EC2 instances should have IAM profile attached
- EC2 instances should be in a VPC
- EC2 instances should not have a public IP address
- EC2 instances should use IMDSv2
- ECS task definition container definitions should be checked for host mode
- EMR cluster Kerberos should be enabled
- EMR cluster master nodes should not have public IP addresses
- ES domains should be in a VPC
- IAM groups should have at least one user
- IAM groups, users, and roles should not have any inline policies
- IAM policy should not have statements with admin access
- IAM root user should not have access keys
- IAM users should be in at least one group
- IAM user should not have any inline or attached policies
- IAM user credentials that have not been used in 90 days should be disabled
- Lambda functions should be in a VPC
- Lambda functions should restrict public access
- OpenSearch domains should be in a VPC
- RDS DB instances should prohibit public access
- RDS snapshots should prohibit public access
- Redshift clusters should prohibit public access
- S3 bucket policy should prohibit public access
- S3 buckets should prohibit public read access
- S3 buckets should prohibit public write access
- S3 public access should be blocked at account level
- S3 public access should be blocked at bucket levels
- SageMaker notebook instances should not have direct internet access
- SSM documents should not be public
- VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
- VPC security groups should restrict ingress SSH access from 0.0.0.0/0
- VPC subnet auto assign public IP should be disabled