Benchmark: 10.5.3 Current audit trail files are promptly backed up to a centralized log server or media that is difficult to alter
Description
Adequate protection of the audit logs includes strong access control (limit access to logs based on “need to know” only), and use of physical or network segregation to make the logs harder to find and modify. Promptly backing up the logs to a centralized log server or media that is difficult to alter keeps the logs protected even if the system generating the logs becomes compromised. Promptly back up audit trail files to a centralized log server or media that is difficult to alter.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select 10.5.3 Current audit trail files are promptly backed up to a centralized log server or media that is difficult to alter.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v321_requirement_10_5_3
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v321_requirement_10_5_3 --share
Controls
- CloudTrail trails should be integrated with CloudWatch logs
- S3 bucket cross-region replication should be enabled
- S3 bucket versioning should be enabled