Benchmark: 11.6.1: A change- and tamper-detection mechanism is deployed
Description
Many web pages now rely on assembling objects, including active content (primarily JavaScript), from multiple internet locations. Additionally, the content of many web pages is defined using content management and tag management systems that may not be possible to monitor using traditional change detection mechanisms.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select 11.6.1: A change- and tamper-detection mechanism is deployed.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_11_6_1
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_11_6_1 --share
Controls
- CloudFormation stacks should have notifications enabled
- CloudTrail trails should be integrated with CloudWatch logs
- CloudWatch alarm should have an action configured
- GuardDuty should be enabled
- Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
- Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA
- Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys
- Ensure a log metric filter and alarm exist for usage of 'root' account
- S3 buckets should have event notifications enabled
- AWS Security Hub should be enabled for an AWS Account
- Logging of delivery status should be enabled for notification messages sent to a topic