Benchmark: 10.2.1.7: Audit logs capture all creation and deletion of system-level objects
Description
Malicious software, such as malware, often creates or replaces system-level objects on the target system to control a particular function or operation on that system. By logging when system-level objects are created or deleted, it will be easier to determine whether such modifications were authorized.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select 10.2.1.7: Audit logs capture all creation and deletion of system-level objects.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_10_2_1_7
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_10_2_1_7 --share
Controls
- API Gateway REST API stages should have AWS X-Ray tracing enabled
- API Gateway stage logging should be enabled
- AppSync graphql API logging should be enabled
- CloudFront distributions access logs should be enabled
- At least one multi-region AWS CloudTrail should be present in an account
- All S3 buckets should log S3 data events in CloudTrail
- At least one enabled trail should be present in a region
- CodeBuild projects should have logging enabled
- DMS replication tasks for the source database should have logging enabled
- DMS replication tasks for the target database should have logging enabled
- EC2 Client VPN endpoints should have client connection logging enabled
- ECS task definitions should have logging enabled
- EKS clusters should have control plane audit logging enabled
- Elastic Beanstalk environments should have enhanced health reporting enabled
- ELB application and classic load balancer logging should be enabled
- ELB classic load balancers should be configured with defensive or strictest desync mitigation mode
- Access logging should be configured for API Gateway V2 Stages
- Neptune DB clusters should publish audit logs to CloudWatch Logs
- Network Firewall logging should be enabled
- Aurora MySQL DB clusters should have audit logging enabled
- An RDS event notifications subscription should be configured for critical cluster events
- An RDS event notifications subscription should be configured for critical database instance events
- Database logging should be enabled
- An RDS event notifications subscription should be configured for critical database parameter group events
- An RDS event notifications subscription should be configured for critical database security group events
- AWS Redshift audit logging should be enabled
- Redshift cluster audit logging and encryption should be enabled
- Route 53 zones should have query logging enabled
- S3 bucket logging should be enabled
- Step Function state machines should have logging turned on
- VPC flow logs should be enabled
- WAF web ACL logging should be enabled
- Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs)