Benchmark: 8.3.2: Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components
Description
Network devices and applications have been known to transmit unencrypted, readable authentication factors (such as passwords and passphrases) across the network and/or store these values without encryption. As a result, a malicious individual can easily intercept this information during transmission using a 'sniffer,' or directly access unencrypted authentication factors in files where they are stored, and then use this data to gain unauthorized access.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select 8.3.2: Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_8_3_2
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v40_requirement_8_3_2 --share
Controls
- API Gateway stage cache encryption at rest should be enabled
- Athena workgroups should be encrypted at rest
- Backup recovery points should be encrypted
- CloudFront distributions should encrypt traffic to custom origins
- CloudFront distributions should require encryption in transit
- CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins
- CloudTrail trail logs should be encrypted with KMS CMK
- CodeBuild project artifact encryption should be enabled
- CodeBuild project plaintext environment variables should not contain sensitive AWS values
- CodeBuild project S3 logs should be encrypted
- DynamoDB Accelerator (DAX) clusters should be encrypted at rest
- AWS DocumentDB clusters should be encrypted at rest
- DynamoDB table should be encrypted with AWS KMS
- DynamoDB table should have encryption enabled
- Attached EBS volumes should have encryption enabled
- EBS default encryption should be enabled
- ECS task definition containers should not have secrets passed as environment variables
- EFS file system encryption at rest should be enabled
- EKS clusters should be configured to have kubernetes secrets encrypted using KMS
- ElastiCache for Redis replication groups should be encrypted at rest
- ElastiCache for Redis replication groups should be encrypted in transit
- ELB application load balancers should redirect HTTP requests to HTTPS
- ELB classic load balancers should use SSL certificates
- ELB classic load balancers should only use SSL or HTTPS listeners
- EMR cluster Kerberos should be enabled
- ES domain encryption at rest should be enabled
- Elasticsearch domain node-to-node encryption should be enabled
- Kinesis streams should have server side encryption enabled
- Log group encryption at rest should be enabled
- Neptune DB clusters should be encrypted at rest
- Neptune DB cluster snapshots should be encrypted at rest
- OpenSearch domains should have encryption at rest enabled
- OpenSearch domains should use HTTPS
- OpenSearch domains node-to-node encryption should be enabled
- RDS DB instance encryption at rest should be enabled
- RDS DB snapshots should be encrypted at rest
- Redshift cluster encryption in transit should be enabled
- Redshift cluster audit logging and encryption should be enabled
- AWS Redshift clusters should be encrypted with KMS
- S3 bucket default encryption should be enabled
- S3 bucket default encryption should be enabled with KMS
- S3 buckets should enforce SSL
- SageMaker endpoint configuration encryption should be enabled
- SageMaker notebook instance encryption should be enabled
- Secrets Manager secrets should be encrypted using CMK
- SNS topics should be encrypted at rest