Benchmark: 10.3.2: Audit log files are protected to prevent modifications by individuals
Description
Often a malicious individual who has entered the network will try to edit the audit logs to hide their activity. Without adequate protection of audit logs, their completeness, accuracy, and integrity cannot be guaranteed, and the audit logs can be rendered useless as an investigation tool after a compromise. Therefore, audit logs should be protected on the originating systems as well as anywhere else they are stored.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select 10.3.2: Audit log files are protected to prevent modifications by individuals.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_10_3_2
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_10_3_2 --share
Controls
- Backup recovery points manual deletion should be disabled
- At least one multi-region AWS CloudTrail should be present in an account
- At least one trail should be enabled with security best practices
- At least one enabled trail should be present in a region
- CloudTrail trail logs should be encrypted with KMS CMK
- CloudTrail trail log file validation should be enabled
- DMS replication instances should not be publicly accessible
- Amazon DocumentDB cluster snapshots should not be public
- EBS snapshots should not be publicly restorable
- ECS containers should be limited to read-only access to root filesystems
- EFS access points should enforce a root directory
- EFS access points should enforce a user identity
- EMR account public access should be blocked
- Lambda functions should restrict public access
- Log group encryption at rest should be enabled
- Neptune DB cluster snapshots should not be public
- RDS DB instances should prohibit public access
- RDS snapshots should prohibit public access
- Redshift clusters should prohibit public access
- S3 access points should have block public access settings enabled
- Ensure MFA Delete is enabled on S3 buckets
- S3 buckets should prohibit public read access
- S3 buckets should prohibit public write access
- S3 public access should be blocked at account level
- S3 public access should be blocked at bucket levels
- SageMaker notebook instances should not have direct internet access
- SSM documents should not be public