Benchmark: 10.2.1.1: Audit logs capture all individual user access to cardholder data
Description
It is critical to have a process or system that links user access to system components accessed. Malicious individuals could obtain knowledge of a user account with access to systems in the CDE, or they could create a new, unauthorized account to access cardholder data.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select 10.2.1.1: Audit logs capture all individual user access to cardholder data.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_10_2_1_1Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_10_2_1_1 --shareControls
- API Gateway REST API stages should have AWS X-Ray tracing enabled
- API Gateway stage logging should be enabled
- AppSync graphql API logging should be enabled
- CloudFront distributions access logs should be enabled
- At least one multi-region AWS CloudTrail should be present in an account
- All S3 buckets should log S3 data events in CloudTrail
- At least one enabled trail should be present in a region
- CloudWatch alarm should have an action configured
- CodeBuild projects should have logging enabled
- DMS replication tasks for the source database should have logging enabled
- DMS replication tasks for the target database should have logging enabled
- EC2 Client VPN endpoints should have client connection logging enabled
- EC2 instance detailed monitoring should be enabled
- ECS task definitions should have logging enabled
- EKS clusters should have control plane audit logging enabled
- Elastic Beanstalk environments should have enhanced health reporting enabled
- ELB application and classic load balancer logging should be enabled
- ELB classic load balancers should be configured with defensive or strictest desync mitigation mode
- Access logging should be configured for API Gateway V2 Stages
- Ensure a log metric filter and alarm exist for S3 bucket policy changes
- Ensure a log metric filter and alarm exist for CloudTrail configuration changes
- Ensure a log metric filter and alarm exist for AWS Config configuration changes
- Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
- Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA
- Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys
- Ensure a log metric filter and alarm exist for IAM policy changes
- Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
- Ensure a log metric filter and alarm exist for changes to network gateways
- Ensure a log metric filter and alarm exist for usage of 'root' account
- Ensure a log metric filter and alarm exist for route table changes
- Ensure a log metric filter and alarm exist for security group changes
- Ensure a log metric filter and alarm exist for unauthorized API calls
- Ensure a log metric filter and alarm exist for VPC changes
- Neptune DB clusters should publish audit logs to CloudWatch Logs
- Network Firewall logging should be enabled
- Aurora MySQL DB clusters should have audit logging enabled
- An RDS event notifications subscription should be configured for critical cluster events
- An RDS event notifications subscription should be configured for critical database instance events
- Database logging should be enabled
- An RDS event notifications subscription should be configured for critical database parameter group events
- An RDS event notifications subscription should be configured for critical database security group events
- AWS Redshift audit logging should be enabled
- Redshift cluster audit logging and encryption should be enabled
- Route 53 zones should have query logging enabled
- S3 bucket logging should be enabled
- AWS Security Hub should be enabled for an AWS Account
- Step Function state machines should have logging turned on
- Logging of delivery status should be enabled for notification messages sent to a topic
- VPC flow logs should be enabled
- WAF web ACL logging should be enabled
- AWS WAF rules should have CloudWatch metrics enabled
- Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs)