Benchmark: A3.3.1: Failures of critical security control systems are detected, alerted, and addressed promptly, including but not limited to failure
Description
Without formal processes for the prompt (as soon as possible) detection, alerting, and addressing of critical security control failures, failures may go undetected or remain unresolved for extended periods. In addition, without formalized timebound processes, attackers will have ample time to compromise systems and steal account data from the CDE.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select A3.3.1: Failures of critical security control systems are detected, alerted, and addressed promptly, including but not limited to failure.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_appendix_a3_3_1
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_appendix_a3_3_1 --share
Controls
- API Gateway REST API stages should have AWS X-Ray tracing enabled
- CloudFormation stacks should have notifications enabled
- CloudTrail trails should be integrated with CloudWatch logs
- CloudWatch alarm should have an action configured
- EC2 instance detailed monitoring should be enabled
- Ensure a log metric filter and alarm exist for S3 bucket policy changes
- Ensure a log metric filter and alarm exist for CloudTrail configuration changes
- Ensure a log metric filter and alarm exist for AWS Config configuration changes
- Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
- Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA
- Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys
- Ensure a log metric filter and alarm exist for IAM policy changes
- Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
- Ensure a log metric filter and alarm exist for changes to network gateways
- Ensure a log metric filter and alarm exist for usage of 'root' account
- Ensure a log metric filter and alarm exist for route table changes
- Ensure a log metric filter and alarm exist for security group changes
- Ensure a log metric filter and alarm exist for unauthorized API calls
- Ensure a log metric filter and alarm exist for VPC changes
- S3 buckets should have event notifications enabled
- AWS Security Hub should be enabled for an AWS Account
- Logging of delivery status should be enabled for notification messages sent to a topic
- AWS WAF rules should have CloudWatch metrics enabled