Benchmark: PR.DS-01
Description
The confidentiality, integrity, and availability of data-at-rest are protected.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select PR.DS-01.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.nist_csf_v2_pr_ds_01
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.nist_csf_v2_pr_ds_01 --share
Controls
- Athena workgroups should be encrypted at rest
- CloudTrail trail logs should be encrypted with KMS CMK
- Attached EBS volumes should have encryption enabled
- EBS encryption by default should be enabled
- EBS snapshots should be encrypted
- EBS volume encryption at rest should be enabled
- ECS clusters encryption at rest should be enabled
- EFS file system encryption at rest should be enabled
- EFS file systems should be encrypted with CMK
- KMS CMK policies should prohibit public access
- KMS CMK rotation should be enabled
- KMS key decryption should be restricted in IAM customer managed policy
- KMS key decryption should be restricted in IAM inline policy
- Neptune DB clusters should be encrypted at rest
- Neptune DB cluster snapshots should be encrypted at rest
- RDS DB clusters should be encrypted at rest
- RDS DB instance encryption at rest should be enabled
- S3 bucket default encryption should be enabled with KMS
- S3 bucket default encryption should be enabled
- S3 buckets should enforce SSL
- SNS topics should be encrypted at rest
- AWS SQS queues should be encrypted at rest
- SQS queues should be encrypted with KMS CMK
- SSM parameters encryption should be enabled