Benchmark: 3.2.1: Account data storage is kept to a minimum through implementation of data retention and disposal policies, procedures, and processes
Description
A formal data retention policy identifies what data needs to be retained, for how long, and where that data resides so it can be securely destroyed or deleted as soon as it is no longer needed.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select 3.2.1: Account data storage is kept to a minimum through implementation of data retention and disposal policies, procedures, and processes.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_3_2_1
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_3_2_1 --share
Controls
- Backup plan min frequency and min retention check
- Backup recovery points should not expire before retention period
- Log group retention period should be at least 365 days
- AWS DocumentDB clusters should have an adequate backup retention period
- DynamoDB table point-in-time recovery should be enabled
- EBS volumes should be attached to EC2 instances
- ECR repositories should have lifecycle policies configured
- S3 buckets should have lifecycle policies configured
- S3 buckets with versioning enabled should have lifecycle policies configured