aws_compliance

AWS Compliance

To protect data at rest, ensure that encryption is enabled for your AWS Redshift clusters. You must also ensure that required configurations are deployed on AWS Redshift clusters. The audit logging should be enabled to provide information about connections and user activities in the database.

redshift_cluster_encryption_logging_enabled

pci_dss_v321_requirement_10_1

10.1 Implement audit trails to link all access to system components to each individual user

pci_dss_v321_requirement_10_2_1

10.2.1 All individual user accesses to cardholder data

pci_dss_v321_requirement_10_2_2

10.2.2 All actions taken by any individual with root or administrative privileges

pci_dss_v321_requirement_10_2_3

10.2.3 Access to all audit trails

pci_dss_v321_requirement_10_2_4

10.2.4 Invalid logical access attempts

pci_dss_v321_requirement_10_2_6

10.2.6 Initialization, stopping, or pausing of the audit logs

pci_dss_v321_requirement_10_2_7

10.2.7 Creation and deletion of system- level objects

pci_dss_v321_requirement_10_3

10.3 Record at least the following audit trail entries for all system components for each event

pci_dss_v321_requirement_10_3_1

10.3.1 User identification

pci_dss_v321_requirement_10_3_2

10.3.2 Type of event

pci_dss_v321_requirement_10_3_3

10.3.3 Date and time

pci_dss_v321_requirement_10_3_4

10.3.4 Success or failure indication

pci_dss_v321_requirement_10_3_5

10.3.5 Origination of event

pci_dss_v321_requirement_10_3_6

10.3.6 Identity or name of affected data, system component, or resource

pci_dss_v321_requirement_10_5

10.5 Interview system administrators and examine system configurations and permissions to verify that audit trails are secured so that they cannot be altered

pci_dss_v321_requirement_10_5_4

10.5.4 Logs for external-facing technologies (for example, wireless, firewalls, DNS, mail) are written onto a secure, centralized, internal log server or media

gxp_21_cfr_part_11_11_10_c

11.10(c) Protection of records to enable their accurate and ready retrieval throughout the records retention period

gxp_21_cfr_part_11_11_10_e

11.10(e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records

gxp_21_cfr_part_11_11_30

11.30 Controls for open systems

hipaa_final_omnibus_security_rule_2013_164_308_a_1_ii_b

164.308(a)(1)(ii)(B) Risk management

hipaa_security_rule_2003_164_308_a_1_ii_b

hipaa_final_omnibus_security_rule_2013_164_308_a_1_ii_d

164.308(a)(1)(ii)(D) Information system activity review

hipaa_security_rule_2003_164_308_a_1_ii_d

hipaa_security_rule_2003_164_308_a_3_ii_a

164.308(a)(3)(ii)(A) Authorization and/or supervision

hipaa_final_omnibus_security_rule_2013_164_308_a_3_ii_a

hipaa_final_omnibus_security_rule_2013_164_308_a_4_ii_a

164.308(a)(4)(ii)(A) Isolating healthcare clearing house functions

hipaa_security_rule_2003_164_308_a_4_ii_a

hipaa_final_omnibus_security_rule_2013_164_312_a_2_iv

164.312(a)(2)(iv) Encryption and decryption

hipaa_security_rule_2003_164_312_a_2_iv

hipaa_final_omnibus_security_rule_2013_164_312_b

164.312(b) Audit controls

hipaa_security_rule_2003_164_312_e_2_ii

164.312(e)(2)(ii) Encryption

hipaa_final_omnibus_security_rule_2013_164_312_e_2_ii

rbi_itf_nbfc_3_1_h

3.1.h Trails

nist_800_171_rev_2_3_13_11

3.13.11 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI

nist_800_171_rev_2_3_13_16

3.13.16 Protect the confidentiality of CUI at rest

nist_800_171_rev_2_3_14_6

3.14.6 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks

nist_800_171_rev_2_3_14_7

3.14.7 Identify unauthorized use of organizational systems

nist_800_171_rev_2_3_3_1

3.3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity

nist_800_171_rev_2_3_3_2

3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions

nist_800_171_rev_2_3_3_3

3.3.3 Review and update logged events

pci_dss_v321_requirement_3_4

3.4 Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using approaches like one-way hashes based on strong cryptography, truncation etc

pci_dss_v321_requirement_3_4_1

3.4.1 If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed separately and independently of native operating system authentication and access control mechanisms (for example, by not using local user account databases or general network login credentials)

pci_dss_v321_requirement_3_4_1_a

3.4.1.a If disk encryption is used, inspect the configuration and observe the authentication process to verify that logical access to encrypted file systems is implemented via a mechanism that is separate from the native operating system's authentication mechanism (for example, not using local user account databases or general network login credentials)

pci_dss_v321_requirement_3_4_1_c

3.4.1.c Examine the configurations and observe the processes to verify that cardholder data on removable media is encrypted wherever stored

pci_dss_v321_requirement_3_4_a

3.4.a Examine documentation about the system used to protect the PAN, including the vendor, type of system/process, and the encryption algorithms (if applicable) to verify that the PAN is rendered unreadable using methods like truncation,one-way hashes based on strong cryptography etc

pci_dss_v321_requirement_3_4_b

3.4.b Examine several tables or files from a sample of data repositories to verify the PAN is rendered unreadable (that is, not stored in plain-text)

nydfs_23_500_02_a

500.02(a)

nydfs_23_500_02_b_3

500.02(b)(3)

nydfs_23_500_06_a

500.06(a)

nydfs_23_500_14_a

500.14(a)

nydfs_23_500_15_a

500.15(a)

gxp_eu_annex_11_operational_phase_7_1

7.1 Data Storage - Damage Protection

cis_controls_v8_ig1_8_2

8.2 Collect Audit Logs

pci_dss_v321_requirement_8_2_1_a

8.2.1.a Examine vendor documentation and system configuration settings to verify that passwords are protected with strong cryptography during transmission and storage

nist_800_53_rev_4_ac_2_4

AC-2(4) Automated Audit Actions

nist_800_53_rev_5_ac_2_4

fedramp_moderate_rev_4_ac_2_4

fedramp_moderate_rev_4_ac_2_g

AC-2(g)

nist_800_53_rev_5_ac_3_1

AC-3(1) Restricted Access To Privileged Functions

nist_800_53_rev_5_ac_3_10

AC-3(10) Audited Override Of Access Control Mechanisms

nist_800_53_rev_5_ac_4_26

AC-4(26) Audit Filtering Actions

nist_800_53_rev_5_ac_6_9

AC-6(9)

acsc_essential_eight_ml_2_1_3

ACSC-EE-ML2-1.3: Application control ML2

acsc_essential_eight_ml_2_5_11

ACSC-EE-ML2-5.11: Restrict administrative privileges ML2

acsc_essential_eight_ml_2_5_12

ACSC-EE-ML2-5.12: Restrict administrative privileges ML2

acsc_essential_eight_ml_2_7_7

ACSC-EE-ML2-7.7: Multi-factor authentication ML2

nist_800_53_rev_5_au_12_1

AU-12(1) System-Wide And Time-Correlated Audit Trial

nist_800_53_rev_5_au_12_2

AU-12(2) Standardized Formats

nist_800_53_rev_5_au_12_3

AU-12(3) Changes By Authorized Individuals

nist_800_53_rev_5_au_12_4

AU-12(4) Query Parameter Audits Of Personally Identifiable Information

nist_800_53_rev_5_au_12_a

AU-12(a)

fedramp_moderate_rev_4_au_12_a_c

AU-12(a)(c)

nist_800_53_rev_5_au_12_c

AU-12(c)

nist_800_53_rev_5_au_14_3

AU-14(3) Remote Viewing And Listening

nist_800_53_rev_5_au_14_a

AU-14(a)

nist_800_53_rev_5_au_14_b

AU-14(b)

fedramp_moderate_rev_4_au_2_a_d

AU-2(a)(d)

nist_800_53_rev_5_au_2_b

AU-2(b)

nist_800_53_rev_5_au_3_a

AU-3(a)

nist_800_53_rev_5_au_3_b

AU-3(b)

nist_800_53_rev_5_au_3_c

AU-3(c)

nist_800_53_rev_5_au_3_d

AU-3(d)

nist_800_53_rev_5_au_3_e

AU-3(e)

nist_800_53_rev_5_au_3_f

AU-3(f)

fedramp_moderate_rev_4_au_6_1_3

AU-6(1)(3)

nist_800_53_rev_5_au_6_3

AU-6(3) Correlate Audit Record Repositories

nist_800_53_rev_5_au_6_4

AU-6(4) Central Review And Analysis

nist_800_53_rev_5_au_6_6

AU-6(6) Correletion With Physical Monitoring

nist_800_53_rev_5_au_6_9

AU-6(9) Correletion With From Nontechnical Sources

nist_800_53_rev_5_au_8_b

AU-8(b)

nist_800_53_rev_5_au_9_3

AU-9(3) Cryptographic Protection

fedramp_low_rev_4_ac_2

Account Management (AC-2)

nist_800_53_rev_4_ac_2

rbi_cyber_security_annex_i_1_3

Annex I (1.3)

rbi_cyber_security_annex_i_7_4

Annex I (7.4)

article_30

Article 30 Records of processing activities

article_32

Article 32 Security of processing

fedramp_low_rev_4_au_2

Audit Events (AU-2)

nist_800_53_rev_4_au_12

Audit Generation (AU-12)

fedramp_moderate_rev_4_ca_7_a_b

CA-7(a)(b)

Redshift cluster audit logging and encryption should be enabled

Run individual configuration, compliance and security controls or full compliance benchmarks for CIS, FFIEC, PCI, NIST, HIPAA, RBI CSF, GDPR, SOC 2, Audit Manager Control Tower, FedRAMP, GxP and AWS Foundational Security Best Practices controls across all your AWS accounts using Powerpipe and Steampipe.

Apache License 2.0

steampipe-mod-aws-compliance

Control: Redshift cluster audit logging and encryption should be enabled

Description

Usage

SQL

Tags