Benchmark: 500.15(a)
Description
As part of its cybersecurity program, based on its Risk Assessment, each Covered Entity shall implement controls, including encryption, to protect Nonpublic Information held or transmitted by the Covered Entity both in transit over external networks and at rest.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select 500.15(a).
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.nydfs_23_500_15_aSnapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.nydfs_23_500_15_a --shareControls
- ACM certificates should not expire within 30 days
- API Gateway stage should uses SSL certificate
- API Gateway stage cache encryption at rest should be enabled
- Backup recovery points should be encrypted
- CloudTrail trail logs should be encrypted with KMS CMK
- CodeBuild project artifact encryption should be enabled
- DynamoDB table should be encrypted with AWS KMS
- Attached EBS volumes should have encryption enabled
- EBS encryption by default should be enabled
- EFS file system encryption at rest should be enabled
- ELB application load balancers should be drop HTTP headers
- ELB application load balancers should redirect HTTP requests to HTTPS
- ELB application and network load balancers should only use SSL or HTTPS listeners
- ELB classic load balancers should only use SSL or HTTPS listeners
- ES domain encryption at rest should be enabled
- Elasticsearch domain node-to-node encryption should be enabled
- Kinesis streams should have server side encryption enabled
- Log group encryption at rest should be enabled
- OpenSearch domains should have encryption at rest enabled
- OpenSearch domains node-to-node encryption should be enabled
- RDS DB instance encryption at rest should be enabled
- RDS DB snapshots should be encrypted at rest
- Redshift cluster encryption in transit should be enabled
- Redshift cluster audit logging and encryption should be enabled
- AWS Redshift clusters should be encrypted with KMS
- S3 bucket default encryption should be enabled with KMS
- S3 bucket default encryption should be enabled
- S3 buckets should enforce SSL
- SageMaker endpoint configuration encryption should be enabled
- SageMaker notebook instance encryption should be enabled
- Secrets Manager secrets should be encrypted using CMK
- SNS topics should be encrypted at rest