Benchmark: 10.5.1: Retain audit log history for at least 12 months, with at least the most recent three months immediately available for analysis
Description
Retaining historical audit logs for at least 12 months is necessary because compromises often go unnoticed for significant lengths of time. Having centrally stored log history allows investigators to better determine the length of time a potential breach was occurring, and the possible system(s) impacted. By having three months of logs immediately available, an entity can quickly identify and minimize impact of a data breach.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select 10.5.1: Retain audit log history for at least 12 months, with at least the most recent three months immediately available for analysis.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_10_5_1
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_10_5_1 --share
Controls
- Backup plan min frequency and min retention check
- Backup recovery points should not expire before retention period
- At least one trail should be enabled with security best practices
- At least one enabled trail should be present in a region
- Log group retention period should be at least 365 days
- AWS DocumentDB clusters should have an adequate backup retention period
- DynamoDB table point-in-time recovery should be enabled
- EBS volumes should be attached to EC2 instances
- ECR repositories should have lifecycle policies configured
- Elasticsearch domain should send logs to CloudWatch
- OpenSearch domains should have audit logging enabled.
- OpenSearch domains logs to AWS CloudWatch Logs
- S3 buckets should have lifecycle policies configured
- S3 buckets with versioning enabled should have lifecycle policies configured