Benchmark: 3.5.1.3: If disk-level or partition-level encryption is used (rather than file-, column-, or field-level database encryption) to render PAN unreadable
Description
Disk-level encryption typically encrypts the entire disk or partition using the same key, with all data automatically decrypted when the system runs or when an authorized user requests it.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select 3.5.1.3: If disk-level or partition-level encryption is used (rather than file-, column-, or field-level database encryption) to render PAN unreadable.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_3_5_1_3Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_3_5_1_3 --shareControls
- ACM certificates should not expire within 30 days
- API Gateway stage should uses SSL certificate
- Backup recovery points manual deletion should be disabled
- CloudFront distributions should use custom SSL/TLS certificates
- At least one multi-region AWS CloudTrail should be present in an account
- DMS replication instances should not be publicly accessible
- Amazon DocumentDB cluster snapshots should not be public
- EBS snapshots should not be publicly restorable
- ECS containers should be limited to read-only access to root filesystems
- EFS access points should enforce a root directory
- EFS access points should enforce a user identity
- ELB application and network load balancers should only use SSL or HTTPS listeners
- ELB classic load balancers should use SSL certificates
- EMR account public access should be blocked
- Ensure managed IAM policies should not allow blocked actions on KMS keys
- Ensure inline policies attached to IAM users, roles, and groups should not allow blocked actions on KMS keys
- KMS keys should not be pending deletion
- Lambda functions should restrict public access
- Neptune DB cluster snapshots should not be public
- RDS DB instances should prohibit public access
- RDS snapshots should prohibit public access
- Redshift clusters should prohibit public access
- S3 access points should have block public access settings enabled
- Ensure MFA Delete is enabled on S3 buckets
- S3 buckets should prohibit public read access
- S3 buckets should prohibit public write access
- S3 public access should be blocked at account level
- S3 public access should be blocked at bucket levels
- SageMaker notebook instances should not have direct internet access
- SSM documents should not be public