Benchmark: 11.5.2: A change-detection mechanism (for example, file integrity monitoring tools) is deployed
Description
Changes to critical system, configuration, or content files can be an indicator an attacker has accessed an organization's system. Such changes can allow an attacker to take additional malicious actions, access cardholder data, and/or conduct activities without detection or record.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select 11.5.2: A change-detection mechanism (for example, file integrity monitoring tools) is deployed.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_11_5_2
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_11_5_2 --share
Controls
- API Gateway stage should uses SSL certificate
- CloudFormation stacks should have notifications enabled
- At least one multi-region AWS CloudTrail should be present in an account
- All S3 buckets should log S3 data events in CloudTrail
- CloudTrail trails should be integrated with CloudWatch logs
- CloudWatch alarm should have an action configured
- AWS Config should be enabled
- EC2 instances should not have a public IP address
- GuardDuty should be enabled
- IAM password policies for users should have strong configurations
- IAM policy should not have statements with admin access
- IAM user MFA should be enabled
- Lambda functions should restrict public access
- Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
- Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA
- Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys
- Ensure a log metric filter and alarm exist for usage of 'root' account
- S3 buckets should have event notifications enabled
- S3 buckets should prohibit public read access
- S3 buckets should prohibit public write access
- AWS Security Hub should be enabled for an AWS Account
- Logging of delivery status should be enabled for notification messages sent to a topic
- VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
- VPC security groups should restrict ingress SSH access from 0.0.0.0/0
- VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0