Benchmark: A1.2.1: Audit log capability is enabled for each customer's environment that is consistent
Description
Log information is useful for detecting and troubleshooting security incidents and is invaluable for forensic investigations. Customers therefore need to have access to these logs.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select A1.2.1: Audit log capability is enabled for each customer's environment that is consistent.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_appendix_a1_2_1Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_appendix_a1_2_1 --shareControls
- API Gateway REST API stages should have AWS X-Ray tracing enabled
- API Gateway stage logging should be enabled
- AppSync graphql API logging should be enabled
- CloudFront distributions access logs should be enabled
- At least one multi-region AWS CloudTrail should be present in an account
- All S3 buckets should log S3 data events in CloudTrail
- At least one trail should be enabled with security best practices
- At least one enabled trail should be present in a region
- CloudTrail trail logs should be encrypted with KMS CMK
- CloudTrail trail log file validation should be enabled
- CodeBuild projects should have logging enabled
- DMS replication tasks for the source database should have logging enabled
- DMS replication tasks for the target database should have logging enabled
- EC2 Client VPN endpoints should have client connection logging enabled
- ECS task definitions should have logging enabled
- EKS clusters should have control plane audit logging enabled
- Elastic Beanstalk environments should have enhanced health reporting enabled
- ELB application and classic load balancer logging should be enabled
- ELB classic load balancers should be configured with defensive or strictest desync mitigation mode
- Access logging should be configured for API Gateway V2 Stages
- Log group encryption at rest should be enabled
- Neptune DB clusters should publish audit logs to CloudWatch Logs
- Network Firewall logging should be enabled
- Aurora MySQL DB clusters should have audit logging enabled
- An RDS event notifications subscription should be configured for critical cluster events
- An RDS event notifications subscription should be configured for critical database instance events
- Database logging should be enabled
- An RDS event notifications subscription should be configured for critical database parameter group events
- An RDS event notifications subscription should be configured for critical database security group events
- AWS Redshift audit logging should be enabled
- Redshift cluster audit logging and encryption should be enabled
- Route 53 zones should have query logging enabled
- S3 bucket logging should be enabled
- S3 public access should be blocked at bucket levels
- Step Function state machines should have logging turned on
- VPC flow logs should be enabled
- WAF web ACL logging should be enabled
- Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs)