Benchmark: PR.DS-5
Description
Protections against data leaks are implemented.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select PR.DS-5.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.nist_csf_pr_ds_5
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.nist_csf_pr_ds_5 --share
Controls
- Auto Scaling launch config public IP should be disabled
- At least one multi-region AWS CloudTrail should be present in an account
- All S3 buckets should log S3 data events in CloudTrail
- At least one enabled trail should be present in a region
- CodeBuild projects should have logging enabled
- CodeBuild project plaintext environment variables should not contain sensitive AWS values
- CodeBuild GitHub or Bitbucket source repository URLs should use OAuth
- DMS replication instances should not be publicly accessible
- EBS snapshots should not be publicly restorable
- ECS task definition containers should not have secrets passed as environment variables
- EKS clusters endpoint should restrict public access
- ELB application and classic load balancer logging should be enabled
- ES domains should be in a VPC
- GuardDuty should be enabled
- Lambda functions should restrict public access
- OpenSearch domains should be in a VPC
- RDS DB instances should prohibit public access
- RDS snapshots should prohibit public access
- AWS Redshift audit logging should be enabled
- Redshift clusters should prohibit public access
- S3 buckets should have event notifications enabled
- S3 bucket logging should be enabled
- S3 buckets should prohibit public read access
- S3 buckets should prohibit public write access
- S3 public access should be blocked at account level
- SageMaker notebook instances should not have direct internet access
- AWS Security Hub should be enabled for an AWS Account
- SSM documents should not be public
- VPC should be configured to use VPC endpoints
- VPC flow logs should be enabled