Benchmark: 12.10.5: The security incident response plan includes monitoring and responding to alerts from security monitoring systems
Description
Responding to alerts generated by security monitoring systems that are explicitly designed to focus on potential risk to data is critical to prevent a breach and therefore, this must be included in the incident-response processes.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select 12.10.5: The security incident response plan includes monitoring and responding to alerts from security monitoring systems.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_12_10_5
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_12_10_5 --share
Controls
- CloudFormation stacks should have notifications enabled
- CloudTrail trails should be integrated with CloudWatch logs
- CloudWatch alarm should have an action configured
- Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
- Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA
- Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys
- Ensure a log metric filter and alarm exist for usage of 'root' account
- S3 buckets should have event notifications enabled
- Logging of delivery status should be enabled for notification messages sent to a topic