Benchmark: 10.2.1.3: Audit logs capture all access to audit logs
Description
Malicious users often attempt to alter audit logs to hide their actions. A record of access allows an organization to trace any inconsistencies or potential tampering of the logs to an individual account. Having logs identify changes, additions, and deletions to the audit logs can help retrace steps made by unauthorized personnel.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select 10.2.1.3: Audit logs capture all access to audit logs.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_10_2_1_3Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_10_2_1_3 --shareControls
- API Gateway REST API stages should have AWS X-Ray tracing enabled
- API Gateway stage logging should be enabled
- AppSync graphql API logging should be enabled
- CloudFront distributions access logs should be enabled
- At least one multi-region AWS CloudTrail should be present in an account
- All S3 buckets should log S3 data events in CloudTrail
- At least one enabled trail should be present in a region
- CodeBuild projects should have logging enabled
- DMS replication tasks for the source database should have logging enabled
- DMS replication tasks for the target database should have logging enabled
- EC2 Client VPN endpoints should have client connection logging enabled
- ECS task definitions should have logging enabled
- EKS clusters should have control plane audit logging enabled
- Elastic Beanstalk environments should have enhanced health reporting enabled
- ELB application and classic load balancer logging should be enabled
- ELB classic load balancers should be configured with defensive or strictest desync mitigation mode
- Access logging should be configured for API Gateway V2 Stages
- Neptune DB clusters should publish audit logs to CloudWatch Logs
- Network Firewall logging should be enabled
- Aurora MySQL DB clusters should have audit logging enabled
- An RDS event notifications subscription should be configured for critical cluster events
- An RDS event notifications subscription should be configured for critical database instance events
- Database logging should be enabled
- An RDS event notifications subscription should be configured for critical database parameter group events
- An RDS event notifications subscription should be configured for critical database security group events
- AWS Redshift audit logging should be enabled
- Redshift cluster audit logging and encryption should be enabled
- Route 53 zones should have query logging enabled
- S3 bucket logging should be enabled
- Step Function state machines should have logging turned on
- VPC flow logs should be enabled
- WAF web ACL logging should be enabled
- Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs)