diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 17bb057f..bf64705c 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,7 +1,7 @@ repos: ## GENERAL - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.3.0 + rev: v4.4.0 hooks: - id: check-merge-conflict - id: check-yaml @@ -15,12 +15,12 @@ repos: ## BASH - repo: https://github.com/koalaman/shellcheck-precommit - rev: v0.8.0 + rev: v0.9.0 hooks: - id: shellcheck ## PYTHON - repo: https://github.com/myint/autoflake - rev: v1.7.7 + rev: v2.0.1 hooks: - id: autoflake args: @@ -31,18 +31,18 @@ repos: ] - repo: https://github.com/timothycrosley/isort - rev: 5.10.1 + rev: 5.12.0 hooks: - id: isort args: ["--profile", "black"] - repo: https://github.com/psf/black - rev: 22.10.0 + rev: 23.1.0 hooks: - id: black - repo: https://github.com/pycqa/flake8 - rev: 5.0.4 + rev: 6.0.0 hooks: - id: flake8 exclude: contrib @@ -54,7 +54,7 @@ repos: - id: check-pipfile-lock - repo: https://github.com/hadolint/hadolint - rev: v2.12.0 + rev: v2.12.1-beta hooks: - id: hadolint args: ["--ignore=DL3013"] diff --git a/docs/tutorials/compliance.md b/docs/tutorials/compliance.md index d5e10ab6..bbbc1ce1 100644 --- a/docs/tutorials/compliance.md +++ b/docs/tutorials/compliance.md @@ -11,6 +11,24 @@ Currently, the available frameworks are: - `cis_1.4_aws` - `cis_1.5_aws` - `ens_rd2022_aws` +- `aws_audit_manager_control_tower_guardrails_aws` +- `aws_foundational_security_best_practices_aws` +- `cisa_aws` +- `fedramp_low_revision_4_aws` +- `fedramp_moderate_revision_4_aws` +- `ffiec_aws` +- `gdpr_aws` +- `gxp_eu_annex_11_aws` +- `gxp_21_cfr_part_11_aws` +- `hipaa_aws` +- `nist_800_53_revision_4_aws` +- `nist_800_53_revision_5_aws` +- `nist_800_171_revision_2_aws` +- `nist_csf_1.1_aws` +- `pci_3.2.1_aws` +- `rbi_cyber_security_framework_aws` +- `soc2_aws` + ## List Requirements of Compliance Frameworks For each compliance framework, you can use option `--list-compliance-requirements` to list its requirements: diff --git a/prowler/compliance/aws/aws_audit_manager_control_tower_guardrails_aws.json b/prowler/compliance/aws/aws_audit_manager_control_tower_guardrails_aws.json new file mode 100644 index 00000000..34a5856f --- /dev/null +++ b/prowler/compliance/aws/aws_audit_manager_control_tower_guardrails_aws.json @@ -0,0 +1,214 @@ +{ + "Framework": "AWS-Audit-Manager-Control-Tower-Guardrails", + "Version": "", + "Provider": "AWS", + "Description": "AWS Control Tower is a management and governance service that you can use to navigate through the setup process and governance requirements that are involved in creating a multi-account AWS environment.", + "Requirements": [ + { + "Id": "1.0.1", + "Name": "Disallow launch of EC2 instance types that are not EBS-optimized", + "Description": "Checks whether EBS optimization is enabled for your EC2 instances that can be EBS-optimized", + "Attributes": [ + { + "ItemId": "1.0.1", + "Section": "EBS checks", + "Service": "ebs" + } + ], + "Checks": [] + }, + { + "Id": "1.0.2", + "Name": "Disallow EBS volumes that are unattached to an EC2 instance", + "Description": "Checks whether EBS volumes are attached to EC2 instances", + "Attributes": [ + { + "ItemId": "1.0.2", + "Section": "EBS checks", + "Service": "ebs" + } + ], + "Checks": [] + }, + { + "Id": "1.0.3", + "Name": "Enable encryption for EBS volumes attached to EC2 instances", + "Description": "Checks whether EBS volumes that are in an attached state are encrypted", + "Attributes": [ + { + "ItemId": "1.0.3", + "Section": "EBS checks", + "Service": "ebs" + } + ], + "Checks": [ + "ec2_ebs_default_encryption" + ] + }, + { + "Id": "2.0.1", + "Name": "Disallow internet connection through RDP", + "Description": "Checks whether security groups that are in use disallow unrestricted incoming TCP traffic to the specified", + "Attributes": [ + { + "ItemId": "2.0.1", + "Section": "Disallow Internet Connection", + "Service": "vpc" + } + ], + "Checks": [ + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389" + ] + }, + { + "Id": "2.0.2", + "Name": "Disallow internet connection through SSH", + "Description": "Checks whether security groups that are in use disallow unrestricted incoming SSH traffic.", + "Attributes": [ + { + "ItemId": "2.0.2", + "Section": "Disallow Internet Connection", + "Service": "vpc" + } + ], + "Checks": [ + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22" + ] + }, + { + "Id": "3.0.1", + "Name": "Disallow access to IAM users without MFA", + "Description": "Checks whether the AWS Identity and Access Management users have multi-factor authentication (MFA) enabled.", + "Attributes": [ + { + "ItemId": "3.0.1", + "Section": "Multi-Factor Authentication", + "Service": "iam" + } + ], + "Checks": [ + "iam_user_mfa_enabled_console_access" + ] + }, + { + "Id": "3.0.2", + "Name": "Disallow console access to IAM users without MFA", + "Description": "Checks whether AWS Multi-Factor Authentication (MFA) is enabled for all AWS Identity and Access Management (IAM) users that use a console password.", + "Attributes": [ + { + "ItemId": "3.0.2", + "Section": "Multi-Factor Authentication", + "Service": "iam" + } + ], + "Checks": [ + "iam_user_mfa_enabled_console_access" + ] + }, + { + "Id": "3.0.3", + "Name": "Enable MFA for the root user", + "Description": "Checks whether the root user of your AWS account requires multi-factor authentication for console sign-in.", + "Attributes": [ + { + "ItemId": "3.0.3", + "Section": "Multi-Factor Authentication", + "Service": "iam" + } + ], + "Checks": [ + "iam_root_mfa_enabled" + ] + }, + { + "Id": "4.0.1", + "Name": "Disallow public access to RDS database instances", + "Description": "Checks whether the Amazon Relational Database Service (RDS) instances are not publicly accessible. The rule is non-compliant if the publiclyAccessible field is true in the instance configuration item.", + "Attributes": [ + { + "ItemId": "4.0.1", + "Section": "Disallow Public Access", + "Service": "rds" + } + ], + "Checks": [ + "rds_instance_no_public_access" + ] + }, + { + "Id": "4.0.2", + "Name": "Disallow public access to RDS database snapshots", + "Description": "Checks if Amazon Relational Database Service (Amazon RDS) snapshots are public. The rule is non-compliant if any existing and new Amazon RDS snapshots are public.", + "Attributes": [ + { + "ItemId": "4.0.2", + "Section": "Disallow Public Access", + "Service": "rds" + } + ], + "Checks": [ + "rds_snapshots_public_access" + ] + }, + { + "Id": "4.1.1", + "Name": "Disallow public read access to S3 buckets", + "Description": "Checks that your S3 buckets do not allow public read access.", + "Attributes": [ + { + "ItemId": "4.1.1", + "Section": "Disallow Public Access", + "Service": "s3" + } + ], + "Checks": [ + "rds_instance_no_public_access" + ] + }, + { + "Id": "4.1.2", + "Name": "Disallow public write access to S3 buckets", + "Description": "Checks that your S3 buckets do not allow public write access.", + "Attributes": [ + { + "ItemId": "4.1.2", + "Section": "Disallow Public Access", + "Service": "s3" + } + ], + "Checks": [ + "s3_bucket_policy_public_write_access" + ] + }, + { + "Id": "5.0.1", + "Name": "Disallow RDS database instances that are not storage encrypted ", + "Description": "Checks whether storage encryption is enabled for your RDS DB instances.", + "Attributes": [ + { + "ItemId": "5.0.1", + "Section": "Disallow Instances", + "Service": "rds" + } + ], + "Checks": [ + "rds_instance_storage_encrypted" + ] + }, + { + "Id": "5.1.1", + "Name": "Disallow S3 buckets that are not versioning enabled", + "Description": "Checks whether versioning is enabled for your S3 buckets.", + "Attributes": [ + { + "ItemId": "5.1.1", + "Section": "Disallow Instances", + "Service": "s3" + } + ], + "Checks": [ + "s3_bucket_object_versioning" + ] + } + ] +} diff --git a/prowler/compliance/aws/aws_foundational_security_best_practices_aws.json b/prowler/compliance/aws/aws_foundational_security_best_practices_aws.json new file mode 100644 index 00000000..3c9ac87f --- /dev/null +++ b/prowler/compliance/aws/aws_foundational_security_best_practices_aws.json @@ -0,0 +1,604 @@ +{ + "Framework": "AWS-Foundational-Security-Best-Practices", + "Version": "", + "Provider": "AWS", + "Description": "The AWS Foundational Security Best Practices standard is a set of controls that detect when your deployed accounts and resources deviate from security best practices.", + "Requirements": [ + { + "Id": "account", + "Name": "Account", + "Description": "This section contains recommendations for configuring AWS Account.", + "Attributes": [ + { + "ItemId": "account", + "Section": "Account", + "Service": "account" + } + ], + "Checks": [ + "account_security_contact_information_is_registered" + ] + }, + { + "Id": "acm", + "Name": "ACM", + "Description": "This section contains recommendations for configuring ACM resources.", + "Attributes": [ + { + "ItemId": "acm", + "Section": "Acm", + "Service": "acm" + } + ], + "Checks": [ + "account_security_contact_information_is_registered" + ] + }, + { + "Id": "api-gateway", + "Name": "API Gateway", + "Description": "This section contains recommendations for configuring API Gateway resources.", + "Attributes": [ + { + "ItemId": "api-gateway", + "Section": "API Gateway", + "Service": "apigateway" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "apigateway_client_certificate_enabled", + "apigateway_waf_acl_attached", + "apigatewayv2_authorizers_enabled", + "apigatewayv2_access_logging_enabled" + ] + }, + { + "Id": "auto-scaling", + "Name": "Benchmark: Auto Scaling", + "Description": "This section contains recommendations for configuring Auto Scaling resources and options.", + "Attributes": [ + { + "ItemId": "auto-scaling", + "Section": "Auto Scaling", + "Service": "autoscaling" + } + ], + "Checks": [] + }, + { + "Id": "cloudformation", + "Name": "Benchmark: CloudFormation", + "Description": "This section contains recommendations for configuring CloudFormation resources and options.", + "Attributes": [ + { + "ItemId": "cloudformation", + "Section": "CloudFormation", + "Service": "cloudformation" + } + ], + "Checks": [] + }, + { + "Id": "cloudfront", + "Name": "Benchmark: CloudFront", + "Description": "This section contains recommendations for configuring CloudFront resources and options.", + "Attributes": [ + { + "ItemId": "cloudfront", + "Section": "CloudFront", + "Service": "cloudfront" + } + ], + "Checks": [ + "cloudfront_distributions_https_enabled", + "cloudfront_distributions_logging_enabled", + "cloudfront_distributions_using_waf", + "cloudfront_distributions_field_level_encryption_enabled", + "cloudfront_distributions_using_deprecated_ssl_protocols" + ] + }, + { + "Id": "cloudtrail", + "Name": "Benchmark: CloudTrail", + "Description": "This section contains recommendations for configuring CloudTrail resources and options.", + "Attributes": [ + { + "ItemId": "cloudtrail", + "Section": "CloudTrail", + "Service": "cloudtrail" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "cloudtrail_kms_encryption_enabled", + "cloudtrail_log_file_validation_enabled", + "cloudtrail_cloudwatch_logging_enabled" + ] + }, + { + "Id": "codebuild", + "Name": "Benchmark: CodeBuild", + "Description": "This section contains recommendations for configuring CodeBuild resources and options.", + "Attributes": [ + { + "ItemId": "codebuild", + "Section": "CodeBuild", + "Service": "codebuild" + } + ], + "Checks": [] + }, + { + "Id": "config", + "Name": "Benchmark: Config", + "Description": "This section contains recommendations for configuring AWS Config.", + "Attributes": [ + { + "ItemId": "config", + "Section": "Config", + "Service": "config" + } + ], + "Checks": [ + "config_recorder_all_regions_enabled" + ] + }, + { + "Id": "dms", + "Name": "Benchmark: DMS", + "Description": "This section contains recommendations for configuring AWS DMS resources and options.", + "Attributes": [ + { + "ItemId": "dms", + "Section": "DMS", + "Service": "dms" + } + ], + "Checks": [] + }, + { + "Id": "dynamodb", + "Name": "Benchmark: DynamoDB", + "Description": "This section contains recommendations for configuring AWS Dynamo DB resources and options.", + "Attributes": [ + { + "ItemId": "dynamodb", + "Section": "DynamoDB", + "Service": "dynamodb" + } + ], + "Checks": [ + "dynamodb_tables_pitr_enabled", + "dynamodb_accelerator_cluster_encryption_enabled" + ] + }, + { + "Id": "ec2", + "Name": "Benchmark: EC2", + "Description": "This section contains recommendations for configuring EC2 resources and options.", + "Attributes": [ + { + "ItemId": "ec2", + "Section": "EC2", + "Service": "ec2" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot", + "ec2_securitygroup_default_restrict_traffic", + "ec2_ebs_volume_encryption", + "ec2_instance_older_than_specific_days", + "vpc_flow_logs_enabled", + "ec2_ebs_default_encryption", + "ec2_instance_imdsv2_enabled", + "ec2_instance_public_ip", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_not_used" + ] + }, + { + "Id": "ecr", + "Name": "Benchmark: Elastic Container Registry", + "Description": "This section contains recommendations for configuring AWS ECR resources and options.", + "Attributes": [ + { + "ItemId": "ecr", + "Section": "ECR", + "Service": "ecr" + } + ], + "Checks": [ + "ecr_repositories_scan_images_on_push_enabled", + "ecr_repositories_lifecycle_policy_enabled" + ] + }, + { + "Id": "ecs", + "Name": "Benchmark: Elastic Container Service", + "Description": "This section contains recommendations for configuring ECS resources and options.", + "Attributes": [ + { + "ItemId": "ecs", + "Section": "ECS", + "Service": "ecs" + } + ], + "Checks": [ + "ecs_task_definitions_no_environment_secrets" + ] + }, + { + "Id": "efs", + "Name": "Benchmark: EFS", + "Description": "This section contains recommendations for configuring AWS EFS resources and options.", + "Attributes": [ + { + "ItemId": "efs", + "Section": "EFS", + "Service": "efs" + } + ], + "Checks": [ + "efs_encryption_at_rest_enabled", + "efs_have_backup_enabled" + ] + }, + { + "Id": "eks", + "Name": "Benchmark: EKS", + "Description": "This section contains recommendations for configuring AWS EKS resources and options.", + "Attributes": [ + { + "ItemId": "eks", + "Section": "EKS", + "Service": "eks" + } + ], + "Checks": [] + }, + { + "Id": "elastic-beanstalk", + "Name": "Benchmark: Elastic Beanstalk", + "Description": "This section contains recommendations for configuring AWS Elastic Beanstalk resources and options.", + "Attributes": [ + { + "ItemId": "elastic-beanstalk", + "Section": "Elastic Beanstalk", + "Service": "elasticbeanstalk" + } + ], + "Checks": [] + }, + { + "Id": "elb", + "Name": "Benchmark: ELB", + "Description": "This section contains recommendations for configuring Elastic Load Balancer resources and options.", + "Attributes": [ + { + "ItemId": "elb", + "Section": "ELB", + "Service": "elb" + } + ], + "Checks": [ + "elbv2_logging_enabled", + "elb_logging_enabled", + "elbv2_deletion_protection", + "elbv2_desync_mitigation_mode" + ] + }, + { + "Id": "elbv2", + "Name": "Benchmark: ELBv2", + "Description": "This section contains recommendations for configuring Elastic Load Balancer resources and options.", + "Attributes": [ + { + "ItemId": "elbv2", + "Section": "ELBv2", + "Service": "elbv2" + } + ], + "Checks": [] + }, + { + "Id": "emr", + "Name": "Benchmark: EMR", + "Description": "This section contains recommendations for configuring EMR resources.", + "Attributes": [ + { + "ItemId": "emr", + "Section": "EMR", + "Service": "emr" + } + ], + "Checks": [ + "emr_cluster_master_nodes_no_public_ip" + ] + }, + { + "Id": "elasticsearch", + "Name": "Benchmark: Elasticsearch", + "Description": "This section contains recommendations for configuring Elasticsearch resources and options.", + "Attributes": [ + { + "ItemId": "elasticsearch", + "Section": "ElasticSearch", + "Service": "elasticsearch" + } + ], + "Checks": [ + "opensearch_service_domains_encryption_at_rest_enabled", + "opensearch_service_domains_node_to_node_encryption_enabled", + "opensearch_service_domains_audit_logging_enabled", + "opensearch_service_domains_audit_logging_enabled", + "opensearch_service_domains_https_communications_enforced" + ] + }, + { + "Id": "guardduty", + "Name": "Benchmark: GuardDuty", + "Description": "This section contains recommendations for configuring AWS GuardDuty resources and options.", + "Attributes": [ + { + "ItemId": "guardduty", + "Section": "GuardDuty", + "Service": "guardduty" + } + ], + "Checks": [ + "guardduty_is_enabled" + ] + }, + { + "Id": "iam", + "Name": "Benchmark: IAM", + "Description": "This section contains recommendations for configuring AWS IAM resources and options.", + "Attributes": [ + { + "ItemId": "iam", + "Section": "IAM", + "Service": "iam" + } + ], + "Checks": [ + "iam_policy_no_administrative_privileges", + "iam_rotate_access_key_90_days", + "iam_no_root_access_key", + "iam_user_mfa_enabled_console_access", + "iam_root_hardware_mfa_enabled", + "iam_password_policy_minimum_length_14", + "iam_disable_90_days_credentials", + "iam_policy_no_administrative_privileges" + ] + }, + { + "Id": "kinesis", + "Name": "Benchmark: Kinesis", + "Description": "This section contains recommendations for configuring AWS Kinesis resources and options.", + "Attributes": [ + { + "ItemId": "kinesis", + "Section": "Kinesis", + "Service": "kinesis" + } + ], + "Checks": [] + }, + { + "Id": "kms", + "Name": "Benchmark: KMS", + "Description": "This section contains recommendations for configuring AWS KMS resources and options.", + "Attributes": [ + { + "ItemId": "kms", + "Section": "KMS", + "Service": "kms" + } + ], + "Checks": [] + }, + { + "Id": "lambda", + "Name": "Benchmark: Lambda", + "Description": "This section contains recommendations for configuring Lambda resources and options.", + "Attributes": [ + { + "ItemId": "lambda", + "Section": "Lambda", + "Service": "lambda" + } + ], + "Checks": [ + "awslambda_function_url_public", + "awslambda_function_using_supported_runtimes" + ] + }, + { + "Id": "network-firewall", + "Name": "Benchmark: Network Firewall", + "Description": "This section contains recommendations for configuring Network Firewall resources and options.", + "Attributes": [ + { + "ItemId": "network-firewall", + "Section": "Network Firewall", + "Service": "network-firewall" + } + ], + "Checks": [] + }, + { + "Id": "opensearch", + "Name": "Benchmark: OpenSearch", + "Description": "This section contains recommendations for configuring OpenSearch resources and options.", + "Attributes": [ + { + "ItemId": "opensearch", + "Section": "OpenSearch", + "Service": "opensearch" + } + ], + "Checks": [ + "opensearch_service_domains_not_publicly_accessible" + ] + }, + { + "Id": "rds", + "Name": "Benchmark: RDS", + "Description": "This section contains recommendations for configuring AWS RDS resources and options.", + "Attributes": [ + { + "ItemId": "rds", + "Section": "RDS", + "Service": "rds" + } + ], + "Checks": [ + "rds_snapshots_public_access", + "rds_instance_no_public_access", + "rds_instance_storage_encrypted", + "rds_instance_storage_encrypted", + "rds_instance_multi_az", + "rds_instance_enhanced_monitoring_enabled", + "rds_instance_deletion_protection", + "rds_instance_integration_cloudwatch_logs", + "rds_instance_minor_version_upgrade_enabled", + "rds_instance_multi_az" + ] + }, + { + "Id": "redshift", + "Name": "Benchmark: Redshift", + "Description": "This section contains recommendations for configuring AWS Redshift resources and options.", + "Attributes": [ + { + "ItemId": "redshift", + "Section": "Redshift", + "Service": "redshift" + } + ], + "Checks": [ + "redshift_cluster_public_access", + "redshift_cluster_automated_snapshot", + "redshift_cluster_automated_snapshot", + "redshift_cluster_automatic_upgrades" + ] + }, + { + "Id": "s3", + "Name": "Benchmark: S3", + "Description": "This section contains recommendations for configuring AWS S3 resources and options.", + "Attributes": [ + { + "ItemId": "s3", + "Section": "S3", + "Service": "s3" + } + ], + "Checks": [ + "s3_account_level_public_access_blocks", + "s3_account_level_public_access_blocks", + "s3_bucket_policy_public_write_access", + "s3_bucket_default_encryption", + "s3_bucket_secure_transport_policy", + "s3_bucket_public_access", + "s3_bucket_server_access_logging_enabled", + "s3_bucket_object_versioning", + "s3_bucket_acl_prohibited" + ] + }, + { + "Id": "sagemaker", + "Name": "Benchmark: SageMaker", + "Description": "This section contains recommendations for configuring AWS Sagemaker resources and options.", + "Attributes": [ + { + "ItemId": "sagemaker", + "Section": "SageMaker", + "Service": "sagemaker" + } + ], + "Checks": [ + "sagemaker_notebook_instance_without_direct_internet_access_configured", + "sagemaker_notebook_instance_vpc_settings_configured", + "sagemaker_notebook_instance_root_access_disabled" + ] + }, + { + "Id": "secretsmanager", + "Name": "Benchmark: Secrets Manager", + "Description": "This section contains recommendations for configuring AWS Secrets Manager resources.", + "Attributes": [ + { + "ItemId": "secretsmanager", + "Section": "Secrets Manager", + "Service": "secretsmanager" + } + ], + "Checks": [ + "secretsmanager_automatic_rotation_enabled", + "secretsmanager_automatic_rotation_enabled" + ] + }, + { + "Id": "sns", + "Name": "Benchmark: SNS", + "Description": "This section contains recommendations for configuring AWS SNS resources and options.", + "Attributes": [ + { + "ItemId": "sns", + "Section": "SNS", + "Service": "sns" + } + ], + "Checks": [ + "sns_topics_kms_encryption_at_rest_enabled" + ] + }, + { + "Id": "sqs", + "Name": "Benchmark: SQS", + "Description": "This section contains recommendations for configuring AWS SQS resources and options.", + "Attributes": [ + { + "ItemId": "sqs", + "Section": "SQS", + "Service": "sqs" + } + ], + "Checks": [ + "sqs_queues_server_side_encryption_enabled" + ] + }, + { + "Id": "ssm", + "Name": "Benchmark: SSM", + "Description": "This section contains recommendations for configuring AWS Systems Manager resources and options.", + "Attributes": [ + { + "ItemId": "ssm", + "Section": "SSM", + "Service": "ssm" + } + ], + "Checks": [ + "ec2_instance_managed_by_ssm", + "ssm_managed_compliant_patching", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "waf", + "Name": "Benchmark: WAF", + "Description": "This section contains recommendations for configuring AWS WAF resources and options.", + "Attributes": [ + { + "ItemId": "waf", + "Section": "WAF", + "Service": "waf" + } + ], + "Checks": [] + } + ] +} diff --git a/prowler/compliance/aws/cis_1.4_aws.json b/prowler/compliance/aws/cis_1.4_aws.json index f262037c..1efe3492 100644 --- a/prowler/compliance/aws/cis_1.4_aws.json +++ b/prowler/compliance/aws/cis_1.4_aws.json @@ -1,6 +1,8 @@ { - "Framework": "CIS-AWS", + "Framework": "CIS", "Version": "1.4", + "Provider": "AWS", + "Description": "The CIS Benchmark for CIS Amazon Web Services Foundations Benchmark, v1.4.0, Level 1 and 2 provides prescriptive guidance for configuring security options for a subset of Amazon Web Services. It has an emphasis on foundational, testable, and architecture agnostic settings", "Requirements": [ { "Id": "1.1", diff --git a/prowler/compliance/aws/cis_1.5_aws.json b/prowler/compliance/aws/cis_1.5_aws.json index fcc2d207..cf37b8e0 100644 --- a/prowler/compliance/aws/cis_1.5_aws.json +++ b/prowler/compliance/aws/cis_1.5_aws.json @@ -1,6 +1,8 @@ { - "Framework": "CIS-AWS", + "Framework": "CIS", "Version": "1.5", + "Provider": "AWS", + "Description": "The CIS Amazon Web Services Foundations Benchmark provides prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings.", "Requirements": [ { "Id": "1.1", diff --git a/prowler/compliance/aws/cisa_aws.json b/prowler/compliance/aws/cisa_aws.json new file mode 100644 index 00000000..d5e69124 --- /dev/null +++ b/prowler/compliance/aws/cisa_aws.json @@ -0,0 +1,421 @@ +{ + "Framework": "CISA", + "Version": "", + "Provider": "AWS", + "Description": "Cybersecurity & Infrastructure Security Agency's (CISA) Cyber Essentials is a guide for leaders of small businesses as well as leaders of small and local government agencies to develop an actionable understanding of where to start implementing organizational cybersecurity practices.", + "Requirements": [ + { + "Id": "your-systems-1", + "Name": "Your Systems-1", + "Description": "Learn what is on your network. Maintain inventories of hardware and software assets to know what is in play and at-risk from attack.", + "Attributes": [ + { + "ItemId": "your-systems-1", + "Section": "your systems", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_managed_by_ssm", + "ec2_instance_older_than_specific_days", + "ssm_managed_compliant_patching", + "ec2_elastic_ip_unassgined" + ] + }, + { + "Id": "your-systems-2", + "Name": "Your Systems-2", + "Description": "Leverage automatic updates for all operating systems and third-party software.", + "Attributes": [ + { + "ItemId": "your-systems-2", + "Section": "your systems", + "Service": "aws" + } + ], + "Checks": [ + "rds_instance_minor_version_upgrade_enabled", + "redshift_cluster_automatic_upgrades", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "your-systems-3", + "Name": "Your Systems-3", + "Description": "Implement security configurations for all hardware and software assets.", + "Attributes": [ + { + "ItemId": "your-systems-3", + "Section": "your systems", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_client_certificate_enabled", + "apigateway_logging_enabled", + "apigateway_waf_acl_attached", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_kms_encryption_enabled", + "cloudtrail_log_file_validation_enabled", + "codebuild_project_user_controlled_buildspec", + "dynamodb_accelerator_cluster_encryption_enabled", + "dynamodb_tables_kms_cmk_encryption_enabled", + "dynamodb_tables_pitr_enabled", + "dynamodb_tables_pitr_enabled", + "ec2_ebs_volume_encryption", + "ec2_ebs_public_snapshot", + "ec2_ebs_default_encryption", + "ec2_instance_public_ip", + "efs_encryption_at_rest_enabled", + "efs_have_backup_enabled", + "elb_logging_enabled", + "elbv2_deletion_protection", + "elbv2_waf_acl_attached", + "elbv2_ssl_listeners", + "elb_ssl_listeners", + "emr_cluster_master_nodes_no_public_ip", + "opensearch_service_domains_encryption_at_rest_enabled", + "opensearch_service_domains_cloudwatch_logging_enabled", + "opensearch_service_domains_node_to_node_encryption_enabled", + "guardduty_is_enabled", + "iam_password_policy_minimum_length_14", + "iam_password_policy_lowercase", + "iam_password_policy_number", + "iam_password_policy_number", + "iam_password_policy_symbol", + "iam_password_policy_uppercase", + "iam_no_custom_policy_permissive_role_assumption", + "iam_policy_no_administrative_privileges", + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_no_root_access_key", + "iam_rotate_access_key_90_days", + "iam_user_mfa_enabled_console_access", + "iam_user_mfa_enabled_console_access", + "iam_disable_90_days_credentials", + "kms_cmk_rotation_enabled", + "awslambda_function_not_publicly_accessible", + "awslambda_function_not_publicly_accessible", + "cloudwatch_log_group_kms_encryption_enabled", + "cloudwatch_log_group_kms_encryption_enabled", + "rds_instance_enhanced_monitoring_enabled", + "rds_instance_backup_enabled", + "rds_instance_deletion_protection", + "rds_instance_storage_encrypted", + "rds_instance_backup_enabled", + "rds_instance_integration_cloudwatch_logs", + "rds_instance_multi_az", + "rds_instance_no_public_access", + "rds_instance_storage_encrypted", + "rds_snapshots_public_access", + "redshift_cluster_automated_snapshot", + "redshift_cluster_audit_logging", + "redshift_cluster_public_access", + "s3_bucket_default_encryption", + "s3_bucket_secure_transport_policy", + "s3_bucket_server_access_logging_enabled", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_bucket_object_versioning", + "s3_account_level_public_access_blocks", + "s3_bucket_public_access", + "sagemaker_training_jobs_volume_and_output_encryption_enabled", + "sagemaker_notebook_instance_without_direct_internet_access_configured", + "sagemaker_notebook_instance_encryption_enabled", + "secretsmanager_automatic_rotation_enabled", + "securityhub_enabled", + "sns_topics_kms_encryption_at_rest_enabled", + "vpc_endpoint_connections_trust_boundaries", + "ec2_securitygroup_default_restrict_traffic", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22", + "ec2_securitygroup_allow_ingress_from_internet_to_any_port" + ] + }, + { + "Id": "your_-urroundings-1", + "Name": "Your Surroundings-1", + "Description": "Learn who is on your network. Maintain inventories of network connections (user accounts, vendors, business partners, etc.).", + "Attributes": [ + { + "ItemId": "your-surroundings-1", + "Section": "your surroundings", + "Service": "aws" + } + ], + "Checks": [ + "ec2_elastic_ip_unassgined", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "your-surroundings-2", + "Name": "Your Surroundings-2", + "Description": "Leverage multi-factor authentication for all users, starting with privileged, administrative and remote access users.", + "Attributes": [ + { + "ItemId": "your-surroundings-2", + "Section": "your surroundings", + "Service": "aws" + } + ], + "Checks": [ + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_user_mfa_enabled_console_access" + ] + }, + { + "Id": "your-surroundings-3", + "Name": "Your Surroundings-3", + "Description": "Grant access and admin permissions based on need-to-know and least privilege.", + "Attributes": [ + { + "ItemId": "your-surroundings-3", + "Section": "your surroundings", + "Service": "aws" + } + ], + "Checks": [ + "elbv2_ssl_listeners", + "iam_no_custom_policy_permissive_role_assumption", + "iam_policy_no_administrative_privileges", + "iam_no_root_access_key" + ] + }, + { + "Id": "your-surroundings-4", + "Name": "Your Surroundings-4", + "Description": "Leverage unique passwords for all user accounts.", + "Attributes": [ + { + "ItemId": "your-surroundings-4", + "Section": "your surroundings", + "Service": "aws" + } + ], + "Checks": [ + "iam_password_policy_minimum_length_14", + "iam_password_policy_lowercase", + "iam_password_policy_number", + "iam_password_policy_number", + "iam_password_policy_symbol", + "iam_password_policy_uppercase" + ] + }, + { + "Id": "your-data-1", + "Name": "Your Data-1", + "Description": "Learn how your data is protected.", + "Attributes": [ + { + "ItemId": "your-data-1", + "Section": "your data", + "Service": "aws" + } + ], + "Checks": [ + "efs_encryption_at_rest_enabled", + "cloudtrail_kms_encryption_enabled", + "dynamodb_tables_kms_cmk_encryption_enabled", + "ec2_ebs_volume_encryption", + "ec2_ebs_default_encryption", + "opensearch_service_domains_encryption_at_rest_enabled", + "rds_instance_storage_encrypted", + "rds_instance_storage_encrypted", + "redshift_cluster_audit_logging", + "s3_bucket_default_encryption", + "sagemaker_training_jobs_volume_and_output_encryption_enabled", + "sagemaker_notebook_instance_encryption_enabled", + "sns_topics_kms_encryption_at_rest_enabled" + ] + }, + { + "Id": "your-data-2", + "Name": "Your Data-2", + "Description": "Learn what is happening on your network, manage network and perimeter components, host and device components, data-at-rest and in-transit, and user behavior activities.", + "Attributes": [ + { + "ItemId": "your-data-2", + "Section": "your data", + "Service": "aws" + } + ], + "Checks": [ + "acm_certificates_expiration_check", + "apigateway_client_certificate_enabled", + "apigateway_logging_enabled", + "efs_have_backup_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled", + "cloudwatch_log_group_kms_encryption_enabled", + "dynamodb_tables_kms_cmk_encryption_enabled", + "ec2_ebs_volume_encryption", + "ec2_instance_public_ip", + "efs_encryption_at_rest_enabled", + "elb_logging_enabled", + "elbv2_waf_acl_attached", + "elbv2_ssl_listeners", + "elb_ssl_listeners", + "emr_cluster_master_nodes_no_public_ip", + "opensearch_service_domains_encryption_at_rest_enabled", + "opensearch_service_domains_cloudwatch_logging_enabled", + "opensearch_service_domains_node_to_node_encryption_enabled", + "awslambda_function_not_publicly_accessible", + "awslambda_function_not_publicly_accessible", + "cloudwatch_log_group_kms_encryption_enabled", + "rds_instance_storage_encrypted", + "rds_instance_integration_cloudwatch_logs", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "rds_snapshots_public_access", + "redshift_cluster_audit_logging", + "redshift_cluster_public_access", + "s3_bucket_default_encryption", + "s3_bucket_secure_transport_policy", + "redshift_cluster_public_access", + "s3_bucket_server_access_logging_enabled", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "s3_bucket_acl_prohibited", + "sagemaker_training_jobs_volume_and_output_encryption_enabled", + "sagemaker_notebook_instance_without_direct_internet_access_configured", + "sagemaker_notebook_instance_encryption_enabled", + "sns_topics_kms_encryption_at_rest_enabled", + "ec2_securitygroup_default_restrict_traffic", + "vpc_flow_logs_enabled", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22", + "ec2_securitygroup_allow_ingress_from_internet_to_any_port" + ] + }, + { + "Id": "your-data-3", + "Name": "Your Data-3", + "Description": "Domain name system protection.", + "Attributes": [ + { + "ItemId": "your-data-3", + "Section": "your data", + "Service": "aws" + } + ], + "Checks": [ + "elbv2_waf_acl_attached" + ] + }, + { + "Id": "your-data-4", + "Name": "Your Data-4", + "Description": "Establish regular automated backups and redundancies of key systems.", + "Attributes": [ + { + "ItemId": "your-data-4", + "Section": "your data", + "Service": "aws" + } + ], + "Checks": [ + "dynamodb_tables_pitr_enabled", + "efs_have_backup_enabled", + "elbv2_deletion_protection", + "rds_instance_backup_enabled", + "rds_instance_deletion_protection", + "rds_instance_backup_enabled", + "redshift_cluster_automated_snapshot", + "s3_bucket_object_versioning" + ] + }, + { + "Id": "your-data-5", + "Name": "Your Data-5", + "Description": "Leverage protections for backups, including physical security, encryption and offline copies.", + "Attributes": [ + { + "ItemId": "your-data-5", + "Section": "your data", + "Service": "aws" + } + ], + "Checks": [] + }, + { + "Id": "your-crisis-response-2", + "Name": "Your Crisis Response-2", + "Description": "Lead development of an internal reporting structure to detect, communicate and contain attacks.", + "Attributes": [ + { + "ItemId": "your-crisis-response-2", + "Section": "your crisis response", + "Service": "aws" + } + ], + "Checks": [ + "guardduty_is_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "booting-up-thing-to-do-first-1", + "Name": "YBooting Up: Things to Do First-1", + "Description": "Lead development of an internal reporting structure to detect, communicate and contain attacks.", + "Attributes": [ + { + "ItemId": "booting-up-thing-to-do-first-1", + "Section": "booting up thing to do first", + "Service": "aws" + } + ], + "Checks": [ + "dynamodb_tables_pitr_enabled", + "dynamodb_tables_pitr_enabled", + "efs_have_backup_enabled", + "rds_instance_backup_enabled", + "rds_instance_backup_enabled", + "redshift_cluster_automated_snapshot", + "s3_bucket_object_versioning" + ] + }, + { + "Id": "booting-up-thing-to-do-first-2", + "Name": "YBooting Up: Things to Do First-2", + "Description": "Require multi-factor authentication (MFA) for accessing your systems whenever possible. MFA should be required of all users, but start with privileged, administrative, and remote access users.", + "Attributes": [ + { + "ItemId": "booting-up-thing-to-do-first-2", + "Section": "booting up thing to do first", + "Service": "aws" + } + ], + "Checks": [ + "iam_user_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_user_mfa_enabled_console_access", + "iam_user_hardware_mfa_enabled" + ] + }, + { + "Id": "booting-up-thing-to-do-first-3", + "Name": "YBooting Up: Things to Do First-3", + "Description": "Enable automatic updates whenever possible. Replace unsupported operating systems, applications and hardware. Test and deploy patches quickly.", + "Attributes": [ + { + "ItemId": "booting-up-thing-to-do-first-1", + "Section": "booting up thing to do first", + "Service": "aws" + } + ], + "Checks": [ + "rds_instance_minor_version_upgrade_enabled", + "redshift_cluster_automatic_upgrades", + "ssm_managed_compliant_patching" + ] + } + ] +} diff --git a/prowler/compliance/aws/ens_rd2022_aws.json b/prowler/compliance/aws/ens_rd2022_aws.json index 11c1461c..a866f9ef 100644 --- a/prowler/compliance/aws/ens_rd2022_aws.json +++ b/prowler/compliance/aws/ens_rd2022_aws.json @@ -2,6 +2,7 @@ "Framework": "ENS", "Version": "RD2022", "Provider": "AWS", + "Description": "The accreditation scheme of the ENS (National Security Scheme) has been developed by the Ministry of Finance and Public Administrations and the CCN (National Cryptological Center). This includes the basic principles and minimum requirements necessary for the adequate protection of information.", "Requirements": [ { "Id": "op.acc.1.aws.iam.2", diff --git a/prowler/compliance/aws/fedramp_low_revision_4_aws.json b/prowler/compliance/aws/fedramp_low_revision_4_aws.json new file mode 100644 index 00000000..726556cf --- /dev/null +++ b/prowler/compliance/aws/fedramp_low_revision_4_aws.json @@ -0,0 +1,440 @@ +{ + "Framework": "FedRAMP-Low-Revision-4", + "Version": "", + "Provider": "AWS", + "Description": "The Federal Risk and Authorization Management Program (FedRAMP) was established in 2011. It provides a cost-effective, risk-based approach for the adoption and use of cloud services by the U.S. federal government. FedRAMP empowers federal agencies to use modern cloud technologies, with an emphasis on the security and protection of federal information.", + "Requirements": [ + { + "Id": "ac-2", + "Name": "Account Management (AC-2)", + "Description": "Manage system accounts, group memberships, privileges, workflow, notifications, deactivations, and authorizations.", + "Attributes": [ + { + "ItemId": "ac-2", + "Section": "Access Control (AC)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_log_file_validation_enabled", + "cloudwatch_changes_to_network_acls_alarm_configured", + "opensearch_service_domains_cloudwatch_logging_enabled", + "guardduty_is_enabled", + "iam_password_policy_minimum_length_14", + "iam_policy_no_administrative_privileges", + "iam_policy_attached_only_to_group_or_roles", + "iam_policy_no_administrative_privileges", + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_no_root_access_key", + "iam_rotate_access_key_90_days", + "iam_user_mfa_enabled_console_access", + "iam_user_hardware_mfa_enabled", + "iam_disable_90_days_credentials", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "ac-3", + "Name": "Account Management (AC-3)", + "Description": "The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.", + "Attributes": [ + { + "ItemId": "ac-3", + "Section": "Access Control (AC)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "ec2_instance_imdsv2_enabled", + "emr_cluster_master_nodes_no_public_ip", + "iam_policy_no_administrative_privileges", + "iam_policy_attached_only_to_group_or_roles", + "iam_policy_no_administrative_privileges", + "iam_no_root_access_key", + "iam_disable_90_days_credentials", + "awslambda_function_not_publicly_accessible", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "s3_bucket_public_access", + "sagemaker_notebook_instance_without_direct_internet_access_configured" + ] + }, + { + "Id": "ac-17", + "Name": "Remote Access (AC-17)", + "Description": "Authorize remote access systems prior to connection. Enforce remote connection requirements to information systems.", + "Attributes": [ + { + "ItemId": "ac-17", + "Section": "Access Control (AC)", + "Service": "aws" + } + ], + "Checks": [ + "acm_certificates_expiration_check", + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "elb_ssl_listeners", + "emr_cluster_master_nodes_no_public_ip", + "guardduty_is_enabled", + "awslambda_function_not_publicly_accessible", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_secure_transport_policy", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "s3_bucket_public_access", + "sagemaker_notebook_instance_without_direct_internet_access_configured", + "securityhub_enabled", + "ec2_securitygroup_default_restrict_traffic", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "au-2", + "Name": "Audit Events (AU-2)", + "Description": "The organization: a. Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events]; b. Coordinates the security audit function with other organizational entities requiring audit- related information to enhance mutual support and to help guide the selection of auditable events; c. Provides a rationale for why the auditable events are deemed to be adequate support after- the-fact investigations of security incidents", + "Attributes": [ + { + "ItemId": "au-2", + "Section": "Audit and Accountability (AU)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_log_file_validation_enabled", + "elbv2_logging_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "au-9", + "Name": "Protection of Audit Information (AU-9)", + "Description": "The information system protects audit information and audit tools from unauthorized access, modification, and deletion.", + "Attributes": [ + { + "ItemId": "au-9", + "Section": "Audit and Accountability (AU)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_kms_encryption_enabled", + "cloudtrail_log_file_validation_enabled", + "cloudwatch_log_group_kms_encryption_enabled", + "s3_bucket_object_versioning" + ] + }, + { + "Id": "au-11", + "Name": "Audit Record Retention (AU-11)", + "Description": "The organization retains audit records for at least 90 days to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.", + "Attributes": [ + { + "ItemId": "au-11", + "Section": "Audit and Accountability (AU)", + "Service": "aws" + } + ], + "Checks": [ + "cloudwatch_log_group_retention_policy_specific_days_enabled" + ] + }, + { + "Id": "ca-7", + "Name": "Continuous Monitoring (CA-7)", + "Description": "Continuously monitor configuration management processes. Determine security impact, environment and operational risks.", + "Attributes": [ + { + "ItemId": "ca-7", + "Section": "Security Assessment And Authorization (CA)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudwatch_changes_to_network_acls_alarm_configured", + "ec2_instance_imdsv2_enabled", + "elbv2_waf_acl_attached", + "guardduty_is_enabled", + "rds_instance_enhanced_monitoring_enabled", + "redshift_cluster_audit_logging", + "securityhub_enabled" + ] + }, + { + "Id": "cm-2", + "Name": "Baseline Configuration (CM-2)", + "Description": "The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.", + "Attributes": [ + { + "ItemId": "cm-2", + "Section": "Configuration Management (CM)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_waf_acl_attached", + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "ec2_instance_older_than_specific_days", + "elbv2_deletion_protection", + "emr_cluster_master_nodes_no_public_ip", + "awslambda_function_not_publicly_accessible", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "s3_bucket_public_access", + "sagemaker_notebook_instance_without_direct_internet_access_configured", + "ssm_managed_compliant_patching", + "ec2_securitygroup_default_restrict_traffic", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "cm-8", + "Name": "Information System Component Inventory (CM-8)", + "Description": "The organization develops and documents an inventory of information system components that accurately reflects the current information system, includes all components within the authorization boundary of the information system, is at the level of granularity deemed necessary for tracking and reporting and reviews and updates the information system component inventory.", + "Attributes": [ + { + "ItemId": "cm-8", + "Section": "Configuration Management (CM)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_managed_by_ssm", + "guardduty_is_enabled", + "ssm_managed_compliant_patching", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "cp-9", + "Name": "Information System Backup (CP-9)", + "Description": "The organization conducts backups of user-level information, system-level information and information system documentation including security-related documentation contained in the information system and protects the confidentiality, integrity, and availability of backup information at storage locations.", + "Attributes": [ + { + "ItemId": "cp-9", + "Section": "Contingency Planning (CP)", + "Service": "aws" + } + ], + "Checks": [ + "dynamodb_tables_pitr_enabled", + "dynamodb_tables_pitr_enabled", + "efs_have_backup_enabled", + "rds_instance_backup_enabled", + "rds_instance_backup_enabled", + "redshift_cluster_automated_snapshot", + "s3_bucket_object_versioning" + ] + }, + { + "Id": "cp-10", + "Name": "Information System Recovery And Reconstitution (CP-10)", + "Description": "The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure.", + "Attributes": [ + { + "ItemId": "cp-10", + "Section": "Contingency Planning (CP)", + "Service": "aws" + } + ], + "Checks": [ + "dynamodb_tables_pitr_enabled", + "dynamodb_tables_pitr_enabled", + "efs_have_backup_enabled", + "elbv2_deletion_protection", + "rds_instance_backup_enabled", + "rds_instance_multi_az", + "rds_instance_backup_enabled", + "redshift_cluster_automated_snapshot", + "s3_bucket_object_versioning" + ] + }, + { + "Id": "ia-2", + "Name": "Identification and Authentication (Organizational users) (IA-2)", + "Description": "The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).", + "Attributes": [ + { + "ItemId": "ia-2", + "Section": "Identification and Authentication (IA)", + "Service": "aws" + } + ], + "Checks": [ + "iam_password_policy_minimum_length_14", + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_no_root_access_key", + "iam_user_mfa_enabled_console_access", + "iam_user_mfa_enabled_console_access" + ] + }, + { + "Id": "ir-4", + "Name": "Incident Handling (IR-4)", + "Description": "The organization implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery, coordinates incident handling activities with contingency planning activities and incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly.", + "Attributes": [ + { + "ItemId": "ir-4", + "Section": "Incident Response (IR)", + "Service": "aws" + } + ], + "Checks": [ + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured", + "guardduty_is_enabled", + "guardduty_no_high_severity_findings", + "securityhub_enabled" + ] + }, + { + "Id": "sa-3", + "Name": "System Development Life Cycle (SA-3)", + "Description": "The organization manages the information system using organization-defined system development life cycle, defines and documents information security roles and responsibilities throughout the system development life cycle, identifies individuals having information security roles and responsibilities and integrates the organizational information security risk management process into system development life cycle activities.", + "Attributes": [ + { + "ItemId": "sa-3", + "Section": "System and Services Acquisition (SA)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_managed_by_ssm" + ] + }, + { + "Id": "sc-5", + "Name": "Denial Of Service Protection (SC-5)", + "Description": "The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or references to sources for such information] by employing [Assignment: organization-defined security safeguards].", + "Attributes": [ + { + "ItemId": "sc-5", + "Section": "System and Communications Protection (SC)", + "Service": "aws" + } + ], + "Checks": [ + "dynamodb_tables_pitr_enabled", + "elbv2_deletion_protection", + "guardduty_is_enabled", + "rds_instance_backup_enabled", + "rds_instance_deletion_protection", + "rds_instance_multi_az", + "redshift_cluster_automated_snapshot", + "s3_bucket_object_versioning" + ] + }, + { + "Id": "sc-7", + "Name": "Boundary Protection (SC-7)", + "Description": "The information system: a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.", + "Attributes": [ + { + "ItemId": "sc-7", + "Section": "System and Communications Protection (SC)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "elbv2_waf_acl_attached", + "elb_ssl_listeners", + "emr_cluster_master_nodes_no_public_ip", + "opensearch_service_domains_node_to_node_encryption_enabled", + "awslambda_function_not_publicly_accessible", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_secure_transport_policy", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "s3_bucket_public_access", + "sagemaker_notebook_instance_without_direct_internet_access_configured", + "ec2_securitygroup_default_restrict_traffic", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "sc-12", + "Name": "Cryptographic Key Establishment And Management (SC-12)", + "Description": "The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].", + "Attributes": [ + { + "ItemId": "sc-12", + "Section": "System and Communications Protection (SC)", + "Service": "aws" + } + ], + "Checks": [ + "acm_certificates_expiration_check", + "kms_cmk_rotation_enabled" + ] + }, + { + "Id": "sc-13", + "Name": "Use of Cryptography (SC-13)", + "Description": "The information system implements FIPS-validated or NSA-approved cryptography in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.", + "Attributes": [ + { + "ItemId": "sc-13", + "Section": "System and Communications Protection (SC)", + "Service": "aws" + } + ], + "Checks": [ + "s3_bucket_default_encryption", + "sagemaker_training_jobs_volume_and_output_encryption_enabled", + "sagemaker_notebook_instance_encryption_enabled", + "sns_topics_kms_encryption_at_rest_enabled" + ] + } + ] +} diff --git a/prowler/compliance/aws/fedramp_moderate_revision_4_aws.json b/prowler/compliance/aws/fedramp_moderate_revision_4_aws.json new file mode 100644 index 00000000..53635159 --- /dev/null +++ b/prowler/compliance/aws/fedramp_moderate_revision_4_aws.json @@ -0,0 +1,1431 @@ +{ + "Framework": "FedRamp-Moderate-Revision-4", + "Version": "", + "Provider": "AWS", + "Description": "The Federal Risk and Authorization Management Program (FedRAMP) was established in 2011. It provides a cost-effective, risk-based approach for the adoption and use of cloud services by the U.S. federal government. FedRAMP empowers federal agencies to use modern cloud technologies, with an emphasis on the security and protection of federal information.", + "Requirements": [ + { + "Id": "ac-2-1", + "Name": "AC-2(1) Automated System Account Management", + "Description": "The organization employs automated mechanisms to support the management of information system accounts.", + "Attributes": [ + { + "ItemId": "ac-2-1", + "Section": "Access Control (AC)", + "SubSection": "Account Management (AC-2)", + "Service": "aws" + } + ], + "Checks": [ + "guardduty_is_enabled", + "iam_password_policy_minimum_length_14", + "iam_policy_attached_only_to_group_or_roles", + "iam_policy_no_administrative_privileges", + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_no_root_access_key", + "iam_rotate_access_key_90_days", + "iam_user_mfa_enabled_console_access", + "iam_user_mfa_enabled_console_access", + "iam_disable_90_days_credentials", + "securityhub_enabled" + ] + }, + { + "Id": "ac-2-4", + "Name": "AC-2(4) Automated Audit Actions", + "Description": "The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [Assignment: organization-defined personnel or roles].", + "Attributes": [ + { + "ItemId": "ac-2-4", + "Section": "Access Control (AC)", + "SubSection": "Account Management (AC-2)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured", + "guardduty_is_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "ac-2-12-a", + "Name": "AC-2(12)(a)", + "Description": "The organization: a. Monitors information system accounts for [Assignment: organization-defined atypical use].", + "Attributes": [ + { + "ItemId": "ac-2-12-a", + "Section": "Access Control (AC)", + "SubSection": "Account Management (AC-2)", + "Service": "aws" + } + ], + "Checks": [ + "guardduty_is_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "ac-2-f", + "Name": "AC-2(f)", + "Description": "The organization: f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions].", + "Attributes": [ + { + "ItemId": "ac-2-f", + "Section": "Access Control (AC)", + "SubSection": "Account Management (AC-2)", + "Service": "aws" + } + ], + "Checks": [ + "iam_password_policy_minimum_length_14", + "iam_policy_no_administrative_privileges", + "iam_policy_attached_only_to_group_or_roles", + "iam_policy_no_administrative_privileges", + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_no_root_access_key", + "iam_rotate_access_key_90_days", + "iam_user_mfa_enabled_console_access", + "iam_user_mfa_enabled_console_access", + "iam_disable_90_days_credentials" + ] + }, + { + "Id": "ac-2-g", + "Name": "AC-2(g)", + "Description": "The organization: g. Monitors the use of information system accounts.", + "Attributes": [ + { + "ItemId": "ac-2-g", + "Section": "Access Control (AC)", + "SubSection": "Account Management (AC-2)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "opensearch_service_domains_cloudwatch_logging_enabled", + "guardduty_is_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "ac-2-j", + "Name": "AC-2(j)", + "Description": "The organization: j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency].", + "Attributes": [ + { + "ItemId": "ac-2-j", + "Section": "Access Control (AC)", + "SubSection": "Account Management (AC-2)", + "Service": "aws" + } + ], + "Checks": [ + "iam_password_policy_minimum_length_14", + "iam_policy_no_administrative_privileges", + "iam_policy_attached_only_to_group_or_roles", + "iam_policy_no_administrative_privileges", + "iam_root_mfa_enabled", + "iam_no_root_access_key", + "iam_rotate_access_key_90_days", + "iam_user_mfa_enabled_console_access", + "iam_user_mfa_enabled_console_access", + "iam_disable_90_days_credentials" + ] + }, + { + "Id": "ac-2-3", + "Name": "AC-2-3", + "Description": "The information system automatically disables inactive accounts after 90 days for user accounts.", + "Attributes": [ + { + "ItemId": "ac-2-3", + "Section": "Access Control (AC)", + "SubSection": "Account Management (AC-2)", + "Service": "aws" + } + ], + "Checks": [ + "iam_password_policy_minimum_length_14", + "iam_disable_90_days_credentials" + ] + }, + { + "Id": "ac-3", + "Name": "Access Enforcement (AC-3)", + "Description": "The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.", + "Attributes": [ + { + "ItemId": "ac-3", + "Section": "Access Control (AC)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "ec2_instance_imdsv2_enabled", + "emr_cluster_master_nodes_no_public_ip", + "iam_policy_no_administrative_privileges", + "iam_policy_attached_only_to_group_or_roles", + "iam_policy_no_administrative_privileges", + "iam_no_root_access_key", + "iam_disable_90_days_credentials", + "awslambda_function_not_publicly_accessible", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "s3_bucket_public_access", + "sagemaker_notebook_instance_without_direct_internet_access_configured" + ] + }, + { + "Id": "ac-4", + "Name": "Information Flow Enforcement (AC-4)", + "Description": "The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on organization-defined information flow control policies.", + "Attributes": [ + { + "ItemId": "ac-4", + "Section": "Access Control (AC)", + "Service": "aws" + } + ], + "Checks": [ + "acm_certificates_expiration_check", + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "emr_cluster_master_nodes_no_public_ip", + "awslambda_function_not_publicly_accessible", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "sagemaker_notebook_instance_without_direct_internet_access_configured", + "ec2_securitygroup_default_restrict_traffic", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "ac-5-c", + "Name": "AC-5(c)", + "Description": "The organization: c. Defines information system access authorizations to support separation of duties.", + "Attributes": [ + { + "ItemId": "ac-5-c", + "Section": "Access Control (AC)", + "SubSection": "Separation Of Duties (AC-5)", + "Service": "aws" + } + ], + "Checks": [ + "iam_password_policy_minimum_length_14", + "iam_policy_no_administrative_privileges", + "iam_policy_attached_only_to_group_or_roles", + "iam_policy_no_administrative_privileges", + "iam_no_root_access_key", + "iam_disable_90_days_credentials" + ] + }, + { + "Id": "ac-6-10", + "Name": "AC-6(10) Prohibit Non-Privileged Users From Executing Privileged Functions", + "Description": "The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.", + "Attributes": [ + { + "ItemId": "ac-6-10", + "Section": "Access Control (AC)", + "SubSection": "Least Privilege (AC-6)", + "Service": "aws" + } + ], + "Checks": [ + "iam_policy_no_administrative_privileges", + "iam_policy_no_administrative_privileges", + "iam_no_root_access_key" + ] + }, + { + "Id": "ac-6", + "Name": "Least Privilege (AC-6)", + "Description": "The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.", + "Attributes": [ + { + "ItemId": "ac-6", + "Section": "Access Control (AC)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "ec2_instance_imdsv2_enabled", + "emr_cluster_master_nodes_no_public_ip", + "iam_policy_no_administrative_privileges", + "iam_no_root_access_key", + "iam_disable_90_days_credentials", + "awslambda_function_not_publicly_accessible", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "s3_bucket_public_access", + "sagemaker_notebook_instance_without_direct_internet_access_configured" + ] + }, + { + "Id": "ac-17-1", + "Name": "AC-17(1) Automated Monitoring/Control", + "Description": "The information system monitors and controls remote access methods.", + "Attributes": [ + { + "ItemId": "ac-17-1", + "Section": "Access Control (AC)", + "SubSection": "Remote Access (AC-17)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "emr_cluster_master_nodes_no_public_ip", + "guardduty_is_enabled", + "awslambda_function_not_publicly_accessible", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "s3_bucket_public_access", + "sagemaker_notebook_instance_without_direct_internet_access_configured", + "securityhub_enabled", + "ec2_securitygroup_default_restrict_traffic", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "ac-17-2", + "Name": "AC-17(2) Protection Of Confidentiality/Integrity Using Encryption", + "Description": "The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.", + "Attributes": [ + { + "ItemId": "ac-17-2", + "Section": "Access Control (AC)", + "SubSection": "Remote Access (AC-17)", + "Service": "aws" + } + ], + "Checks": [ + "acm_certificates_expiration_check", + "elb_ssl_listeners", + "s3_bucket_secure_transport_policy" + ] + }, + { + "Id": "ac-21-b", + "Name": "AC-21(b)", + "Description": "The organization: b. Employs [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing/collaboration decisions.", + "Attributes": [ + { + "ItemId": "ac-21-b", + "Section": "Access Control (AC)", + "SubSection": "Information Sharing (AC-21)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "emr_cluster_master_nodes_no_public_ip", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "s3_bucket_public_access", + "sagemaker_notebook_instance_without_direct_internet_access_configured", + "ec2_securitygroup_default_restrict_traffic", + "ec2_networkacl_allow_ingress_any_port", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "au-2-a-d", + "Name": "AU-2(a)(d)", + "Description": "The organization: a. Determines that the information system is capable of auditing the following events: Successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes. d. Determines that the following events are to be audited within the information system: [organization-defined subset of the auditable events defined in AU-2 a to be audited continually for each identified event].", + "Attributes": [ + { + "ItemId": "au-2-a-d", + "Section": "Audit and Accountability (AU)", + "SubSection": "Audit Events (AU-2)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "au-3", + "Name": "Content of Audit Records (AU-3)", + "Description": "The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.", + "Attributes": [ + { + "ItemId": "au-3", + "Section": "Audit and Accountability (AU)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "au-6-1-3", + "Name": "AU-6(1)(3)", + "Description": "(1) The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities. (3) The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness.", + "Attributes": [ + { + "ItemId": "au-6-1-3", + "Section": "Audit and Accountability (AU)", + "SubSection": "Audit Review, Analysis And Reporting (AU-6)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured", + "cloudwatch_log_group_retention_policy_specific_days_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "guardduty_is_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "securityhub_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "au-7-1", + "Name": "AU-7(1) Automatic Processing", + "Description": "The information system provides the capability to process audit records for events of interest based on [Assignment: organization-defined audit fields within audit records].", + "Attributes": [ + { + "ItemId": "au-7-1", + "Section": "Audit and Accountability (AU)", + "SubSection": "Audit Reduction And Report Generation (AU-7)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_cloudwatch_logging_enabled", + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured" + ] + }, + { + "Id": "au-9-2", + "Name": "AU-9(2) Audit Backup On Separate Physical Systems / Components", + "Description": "The information system backs up audit records at least weekly onto a physically different system or system component than the system or component being audited.", + "Attributes": [ + { + "ItemId": "au-9-2", + "Section": "Audit and Accountability (AU)", + "SubSection": "Protection of Audit Information (AU-9)", + "Service": "aws" + } + ], + "Checks": [ + "s3_bucket_object_versioning" + ] + }, + { + "Id": "au-9", + "Name": "Protection of Audit Information (AU-9)", + "Description": "The information system protects audit information and audit tools from unauthorized access, modification, and deletion.", + "Attributes": [ + { + "ItemId": "au-9", + "Section": "Audit and Accountability (AU)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_kms_encryption_enabled", + "cloudtrail_log_file_validation_enabled", + "cloudwatch_log_group_kms_encryption_enabled" + ] + }, + { + "Id": "au-11", + "Name": "Audit Record Retention (AU-11)", + "Description": "The organization retains audit records for at least 90 days to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.", + "Attributes": [ + { + "ItemId": "au-11", + "Section": "Audit and Accountability (AU)", + "Service": "aws" + } + ], + "Checks": [ + "cloudwatch_log_group_retention_policy_specific_days_enabled" + ] + }, + { + "Id": "au-12-a-c", + "Name": "AU-12(a)(c)", + "Description": "The information system: a. Provides audit record generation capability for the auditable events defined in AU-2 a. at all information system and network components where audit capability is deployed/available c. Generates audit records for the events defined in AU-2 d. with the content defined in AU-3.", + "Attributes": [ + { + "ItemId": "au-12-a-c", + "Section": "Audit and Accountability (AU)", + "SubSection": "Audit Generation (AU-12)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "ca-7-a-b", + "Name": "CA-7(a)(b)", + "Description": "The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: a. Establishment of [Assignment: organization-defined metrics] to be monitored; b. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring.", + "Attributes": [ + { + "ItemId": "ca-7-a-b", + "Section": "Security Assessment And Authorization (CA)", + "SubSection": "Continuous Monitoring (CA-7)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured", + "ec2_instance_imdsv2_enabled", + "guardduty_is_enabled", + "rds_instance_enhanced_monitoring_enabled", + "redshift_cluster_audit_logging", + "securityhub_enabled" + ] + }, + { + "Id": "cm-2", + "Name": "Baseline Configuration (CM-2)", + "Description": "The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.", + "Attributes": [ + { + "ItemId": "cm-2", + "Section": "Configuration Management (CM)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_waf_acl_attached", + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "ec2_instance_managed_by_ssm", + "ec2_instance_older_than_specific_days", + "elbv2_waf_acl_attached", + "emr_cluster_master_nodes_no_public_ip", + "awslambda_function_not_publicly_accessible", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "s3_bucket_public_access", + "sagemaker_notebook_instance_without_direct_internet_access_configured", + "ssm_managed_compliant_patching", + "ec2_securitygroup_default_restrict_traffic", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "cm-7-a", + "Name": "CM-7(a)", + "Description": "The organization: a. Configures the information system to provide only essential capabilities.", + "Attributes": [ + { + "ItemId": "cm-7-a", + "Section": "Configuration Management (CM)", + "SubSection": "Least Functionality (CM-7)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_managed_by_ssm", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "cm-8-1", + "Name": "CM-8(1)", + "Description": "The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates.", + "Attributes": [ + { + "ItemId": "cm-8-1", + "Section": "Configuration Management (CM)", + "SubSection": "Information System Component Inventory (CM-8)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_managed_by_ssm", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "cm-8-3-a", + "Name": "CM-8(3)(a)", + "Description": "The organization: a. Employs automated mechanisms continuously, using automated mechanisms with a maximum five-minute delay in detection, to detect the presence of unauthorized hardware, software, and firmware components within the information system", + "Attributes": [ + { + "ItemId": "cm-8-3-a", + "Section": "Configuration Management (CM)", + "SubSection": "Information System Component Inventory (CM-8)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_managed_by_ssm", + "guardduty_is_enabled", + "ssm_managed_compliant_patching", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "cp-9-b", + "Name": "CP-9(b))", + "Description": "The organization: b. Conducts backups of system-level information contained in the information system (daily incremental; weekly full).", + "Attributes": [ + { + "ItemId": "cp-9-b", + "Section": "Contingency Planning (CP)", + "SubSection": "Information System Backup (CP-9)", + "Service": "aws" + } + ], + "Checks": [ + "dynamodb_tables_pitr_enabled", + "dynamodb_tables_pitr_enabled", + "efs_have_backup_enabled", + "rds_instance_backup_enabled", + "rds_instance_backup_enabled", + "redshift_cluster_automated_snapshot", + "s3_bucket_object_versioning" + ] + }, + { + "Id": "cp-10", + "Name": "Information System Recovery And Reconstitution (CP-10)", + "Description": "The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure.", + "Attributes": [ + { + "ItemId": "cp-10", + "Section": "Contingency Planning (CP)", + "Service": "aws" + } + ], + "Checks": [ + "dynamodb_tables_pitr_enabled", + "dynamodb_tables_pitr_enabled", + "efs_have_backup_enabled", + "elbv2_deletion_protection", + "rds_instance_backup_enabled", + "rds_instance_multi_az", + "rds_instance_backup_enabled", + "redshift_cluster_automated_snapshot", + "s3_bucket_object_versioning" + ] + }, + { + "Id": "ia-2-1-2", + "Name": "IA-2(1)(2)", + "Description": "(1) The information system implements multifactor authentication for network access to privileged accounts. (2) The information system implements multifactor authentication for network access to non- privileged accounts.", + "Attributes": [ + { + "ItemId": "ia-2-1-2", + "Section": "Identification and Authentication (IA)", + "SubSection": "IA-2(1) Network Access To Privileged Accounts", + "Service": "iam" + } + ], + "Checks": [ + "iam_root_mfa_enabled", + "iam_user_mfa_enabled_console_access", + "iam_user_mfa_enabled_console_access", + "iam_root_hardware_mfa_enabled" + ] + }, + { + "Id": "ia-2-1", + "Name": "IA-2(1) Network Access To Privileged Accounts", + "Description": "The information system implements multi-factor authentication for network access to privileged accounts.", + "Attributes": [ + { + "ItemId": "ia-2-1", + "Section": "Identification and Authentication (IA)", + "SubSection": "Identification and Authentication (Organizational users) (IA-2)", + "Service": "iam" + } + ], + "Checks": [ + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_user_mfa_enabled_console_access", + "iam_user_mfa_enabled_console_access" + ] + }, + { + "Id": "ia-2", + "Name": "Identification and Authentication (Organizational users) (IA-2)", + "Description": "The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).", + "Attributes": [ + { + "ItemId": "ia-2", + "Section": "Identification and Authentication (IA)", + "Service": "iam" + } + ], + "Checks": [ + "iam_password_policy_minimum_length_14", + "iam_no_root_access_key" + ] + }, + { + "Id": "ia-5-1-a-d-e", + "Name": "IA-5(1)(a)(d)(e)", + "Description": "The information system, for password-based authentication: a. Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type]; d. Enforces password minimum and maximum lifetime restrictions of [Assignment: organization- defined numbers for lifetime minimum, lifetime maximum]; e. Prohibits password reuse for 24 generations", + "Attributes": [ + { + "ItemId": "ia-5-1-a-d-e", + "Section": "Identification and Authentication (IA)", + "SubSection": "IA-5(1) Password-Based Authentication", + "Service": "iam" + } + ], + "Checks": [ + "iam_password_policy_minimum_length_14" + ] + }, + { + "Id": "ia-5-4", + "Name": "IA-5(4) Automated Support For Password Strength Determination", + "Description": "The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy [Assignment: organization-defined requirements].", + "Attributes": [ + { + "ItemId": "ia-5-4", + "Section": "Identification and Authentication (IA)", + "SubSection": "Authenticator Management (IA-5)", + "Service": "iam" + } + ], + "Checks": [ + "iam_password_policy_minimum_length_14" + ] + }, + { + "Id": "ia-5-7", + "Name": "IA-5(7) No Embedded Unencrypted Static Authenticators", + "Description": "The organization ensures that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys.", + "Attributes": [ + { + "ItemId": "ia-5-7", + "Section": "Identification and Authentication (IA)", + "SubSection": "Authenticator Management (IA-5)", + "Service": "codebuild" + } + ], + "Checks": [] + }, + { + "Id": "ir-4-1", + "Name": "IR-4(1) Automated Incident Handling Processes", + "Description": "The organization employs automated mechanisms to support the incident handling process.", + "Attributes": [ + { + "ItemId": "ir-4-1", + "Section": "Incident Response (IR)", + "SubSection": "Incident Handling (IR-4)", + "Service": "aws" + } + ], + "Checks": [ + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured", + "guardduty_is_enabled", + "guardduty_no_high_severity_findings", + "securityhub_enabled" + ] + }, + { + "Id": "ir-4-1", + "Name": "IR-4(1) Automated Incident Handling Processes", + "Description": "The organization employs automated mechanisms to support the incident handling process.", + "Attributes": [ + { + "ItemId": "ir-4-1", + "Section": "Incident Response (IR)", + "SubSection": "Incident Handling (IR-4)", + "Service": "aws" + } + ], + "Checks": [ + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured", + "guardduty_is_enabled", + "guardduty_no_high_severity_findings", + "securityhub_enabled" + ] + }, + { + "Id": "ir-6-1", + "Name": "IR-6(1) Automated Reporting", + "Description": "The organization employs automated mechanisms to assist in the reporting of security incidents.", + "Attributes": [ + { + "ItemId": "ir-6-1", + "Section": "Incident Response (IR)", + "SubSection": "Incident Reporting (IR-6)", + "Service": "aws" + } + ], + "Checks": [ + "guardduty_is_enabled", + "guardduty_no_high_severity_findings", + "securityhub_enabled" + ] + }, + { + "Id": "ir-7-1", + "Name": "IR-7(1) Automation Support For Availability Of Information / Support", + "Description": "The organization employs automated mechanisms to increase the availability of incident response-related information and support.", + "Attributes": [ + { + "ItemId": "ir-7-1", + "Section": "Incident Response (IR)", + "SubSection": "Incident Response Assistance (IR-7)", + "Service": "aws" + } + ], + "Checks": [ + "guardduty_is_enabled", + "guardduty_no_high_severity_findings", + "securityhub_enabled" + ] + }, + { + "Id": "ra-5", + "Name": "Vulnerability Scanning (RA-5)", + "Description": "Scan for system vulnerabilities. Share vulnerability information and security controls that eliminate vulnerabilities.", + "Attributes": [ + { + "ItemId": "ra-5", + "Section": "Risk Assessment (RA)", + "Service": "guarduty" + } + ], + "Checks": [ + "guardduty_is_enabled", + "guardduty_no_high_severity_findings" + ] + }, + { + "Id": "sa-3-a", + "Name": "SA-3(a)", + "Description": "The organization: a. Manages the information system using [Assignment: organization-defined system development life cycle] that incorporates information security considerations.", + "Attributes": [ + { + "ItemId": "sa-3-a", + "Section": "System and Services Acquisition (SA)", + "SubSection": "System Development Life Cycle (SA-3)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_managed_by_ssm" + ] + }, + { + "Id": "sa-10", + "Name": "Developer Configuration Management (SA-10)", + "Description": "The organization requires the developer of the information system, system component, or information system service to: a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation]; b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management]; c. Implement only organization-approved changes to the system, component, or service; d. Document approved changes to the system, component, or service and the potential security impacts of such changes; and e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel].", + "Attributes": [ + { + "ItemId": "sa-10", + "Section": "System and Services Acquisition (SA)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_managed_by_ssm", + "guardduty_is_enabled", + "guardduty_no_high_severity_findings", + "securityhub_enabled" + ] + }, + { + "Id": "sc-2", + "Name": "Application Partitioning (SC-2)", + "Description": "The information system separates user functionality (including user interface services) from information system management functionality.", + "Attributes": [ + { + "ItemId": "sc-2", + "Section": "System and Communications Protection (SC)", + "Service": "iam" + } + ], + "Checks": [ + "iam_policy_attached_only_to_group_or_roles", + "iam_policy_no_administrative_privileges" + ] + }, + { + "Id": "sc-4", + "Name": "Information In Shared Resources (SC-4)", + "Description": "The information system prevents unauthorized and unintended information transfer via shared system resources.", + "Attributes": [ + { + "ItemId": "sc-4", + "Section": "System and Communications Protection (SC)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "s3_bucket_public_access", + "sagemaker_notebook_instance_without_direct_internet_access_configured", + "ec2_securitygroup_default_restrict_traffic", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "sc-5", + "Name": "Denial Of Service Protection (SC-5)", + "Description": "The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or references to sources for such information] by employing [Assignment: organization-defined security safeguards].", + "Attributes": [ + { + "ItemId": "sc-5", + "Section": "System and Communications Protection (SC)", + "Service": "aws" + } + ], + "Checks": [ + "rds_instance_deletion_protection", + "dynamodb_tables_pitr_enabled", + "elbv2_deletion_protection", + "guardduty_is_enabled", + "rds_instance_multi_az", + "s3_bucket_object_versioning" + ] + }, + { + "Id": "sc-7-3", + "Name": "SC-7(3) Access Points", + "Description": "The organization limits the number of external network connections to the information system.", + "Attributes": [ + { + "ItemId": "sc-7-3", + "Section": "System and Communications Protection (SC)", + "SubSection": "Boundary Protection (SC-7)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "emr_cluster_master_nodes_no_public_ip", + "awslambda_function_not_publicly_accessible", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "s3_bucket_public_access", + "sagemaker_notebook_instance_without_direct_internet_access_configured", + "ec2_securitygroup_default_restrict_traffic", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "sc-7", + "Name": "Boundary Protection (SC-7)", + "Description": "The information system: a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.", + "Attributes": [ + { + "ItemId": "sc-7", + "Section": "System and Communications Protection (SC)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "elbv2_waf_acl_attached", + "elb_ssl_listeners", + "emr_cluster_master_nodes_no_public_ip", + "opensearch_service_domains_node_to_node_encryption_enabled", + "awslambda_function_not_publicly_accessible", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_secure_transport_policy", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "s3_bucket_public_access", + "sagemaker_notebook_instance_without_direct_internet_access_configured", + "ec2_securitygroup_default_restrict_traffic", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "sc-8-1", + "Name": "SC-8(1) Cryptographic Or Alternate Physical Protection", + "Description": "The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards].", + "Attributes": [ + { + "ItemId": "sc-8-1", + "Section": "System and Communications Protection (SC)", + "SubSection": "Transmission Integrity (SC-8)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_client_certificate_enabled", + "elbv2_insecure_ssl_ciphers", + "elb_ssl_listeners", + "opensearch_service_domains_node_to_node_encryption_enabled", + "s3_bucket_secure_transport_policy" + ] + }, + { + "Id": "sc-8", + "Name": "Transmission Integrity (SC-8)", + "Description": "The information system protects the confidentiality AND integrity of transmitted information.", + "Attributes": [ + { + "ItemId": "sc-8", + "Section": "System and Communications Protection (SC)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_client_certificate_enabled", + "elbv2_insecure_ssl_ciphers", + "elb_ssl_listeners", + "opensearch_service_domains_node_to_node_encryption_enabled", + "s3_bucket_secure_transport_policy" + ] + }, + { + "Id": "sc-12", + "Name": "Cryptographic Key Establishment And Management (SC-12)", + "Description": "The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].", + "Attributes": [ + { + "ItemId": "sc-12", + "Section": "System and Communications Protection (SC)", + "Service": "aws" + } + ], + "Checks": [ + "acm_certificates_expiration_check", + "kms_cmk_rotation_enabled" + ] + }, + { + "Id": "sc-13", + "Name": "Use of Cryptography (SC-13)", + "Description": "The information system implements FIPS-validated or NSA-approved cryptography in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.", + "Attributes": [ + { + "ItemId": "sc-13", + "Section": "System and Communications Protection (SC)", + "Service": "aws" + } + ], + "Checks": [ + "s3_bucket_default_encryption", + "sagemaker_notebook_instance_encryption_enabled", + "sns_topics_kms_encryption_at_rest_enabled" + ] + }, + { + "Id": "sc-23", + "Name": "Session Authenticity (SC-23)", + "Description": "The information system protects the authenticity of communications sessions.", + "Attributes": [ + { + "ItemId": "sc-23", + "Section": "System and Communications Protection (SC)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_client_certificate_enabled", + "elb_ssl_listeners", + "opensearch_service_domains_node_to_node_encryption_enabled", + "s3_bucket_secure_transport_policy" + ] + }, + { + "Id": "sc-28", + "Name": "Protection of Information at Rest (SC-28)", + "Description": "The information system protects the confidentiality AND integrity of [Assignment: organization-defined information at rest].", + "Attributes": [ + { + "ItemId": "sc-28", + "Section": "System and Communications Protection (SC)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_kms_encryption_enabled", + "ec2_ebs_volume_encryption", + "ec2_ebs_volume_encryption", + "efs_encryption_at_rest_enabled", + "opensearch_service_domains_encryption_at_rest_enabled", + "cloudwatch_log_group_kms_encryption_enabled", + "rds_instance_storage_encrypted", + "rds_instance_storage_encrypted", + "redshift_cluster_audit_logging", + "s3_bucket_default_encryption", + "s3_bucket_default_encryption", + "sagemaker_notebook_instance_encryption_enabled", + "sns_topics_kms_encryption_at_rest_enabled" + ] + }, + { + "Id": "si-2-2", + "Name": "Automated Flaw Remediation Status (SI-2(2))", + "Description": "The organization employs automated mechanisms at least monthly to determine the state of information system components with regard to flaw remediation.", + "Attributes": [ + { + "ItemId": "si-2-2", + "Section": "System and Information Integrity (SI)", + "SubSection": "Flaw Remediation (SI-2)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_managed_by_ssm", + "ssm_managed_compliant_patching", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "si-4-1", + "Name": "SI-4(1) System-Wide Intrusion Detection System", + "Description": "The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system.", + "Attributes": [ + { + "ItemId": "si-4-1", + "Section": "System and Information Integrity (SI)", + "SubSection": "Information System Monitoring (SI-4)", + "Service": "guarduty" + } + ], + "Checks": [ + "guardduty_is_enabled" + ] + }, + { + "Id": "si-4-16", + "Name": "SI-4(16) Correlate Monitoring Information", + "Description": "The organization correlates information from monitoring tools employed throughout the information system.", + "Attributes": [ + { + "ItemId": "si-4-16", + "Section": "System and Information Integrity (SI)", + "SubSection": "Information System Monitoring (SI-4)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "guardduty_is_enabled", + "redshift_cluster_audit_logging", + "securityhub_enabled" + ] + }, + { + "Id": "si-4-2", + "Name": "SI-4(2) Automated Tools For Real-Time Analysis", + "Description": "The organization employs automated tools to support near real-time analysis of events.", + "Attributes": [ + { + "ItemId": "si-4-2", + "Section": "System and Information Integrity (SI)", + "SubSection": "Information System Monitoring (SI-4)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured", + "ec2_instance_imdsv2_enabled", + "guardduty_is_enabled", + "redshift_cluster_audit_logging", + "securityhub_enabled" + ] + }, + { + "Id": "si-4-4", + "Name": "SI-4(4) Inbound and Outbound Communications Traffic", + "Description": "The information system monitors inbound and outbound communications traffic continuously for unusual or unauthorized activities or conditions.", + "Attributes": [ + { + "ItemId": "si-4-4", + "Section": "System and Information Integrity (SI)", + "SubSection": "Information System Monitoring (SI-4)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured", + "ec2_instance_imdsv2_enabled", + "guardduty_is_enabled", + "redshift_cluster_audit_logging", + "securityhub_enabled" + ] + }, + { + "Id": "si-4-5", + "Name": "SI-4(5) System-Generated Alerts", + "Description": "The information system alerts organization-defined personnel or roles when the following indications of compromise or potential compromise occur: [Assignment: organization-defined compromise indicators].", + "Attributes": [ + { + "ItemId": "si-4-5", + "Section": "System and Information Integrity (SI)", + "SubSection": "Information System Monitoring (SI-4)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured", + "ec2_instance_imdsv2_enabled", + "guardduty_is_enabled", + "redshift_cluster_audit_logging", + "securityhub_enabled" + ] + }, + { + "Id": "si-4-a-b-c", + "Name": "SI-4(a)(b)(c)", + "Description": "The organization: a. Monitors the information system to detect: 1. Attacks and indicators of potential attacks in accordance with [Assignment: organization- defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections; b. Identifies unauthorized use of the information system through [Assignment: organization- defined techniques and methods]; c. Deploys monitoring devices: i. strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization.", + "Attributes": [ + { + "ItemId": "si-4-a-b-c", + "Section": "System and Information Integrity (SI)", + "SubSection": "Information System Monitoring (SI-4)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_waf_acl_attached", + "cloudtrail_cloudwatch_logging_enabled", + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured", + "ec2_instance_imdsv2_enabled", + "elbv2_waf_acl_attached", + "guardduty_is_enabled", + "guardduty_no_high_severity_findings", + "securityhub_enabled" + ] + }, + { + "Id": "si-7-1", + "Name": "SI-7(1) Integrity Checks", + "Description": "The information system performs an integrity check of security relevant events at least monthly.", + "Attributes": [ + { + "ItemId": "si-7-1", + "Section": "System and Information Integrity (SI)", + "SubSection": "Software, Firmware, and Information Integrity (SI-7)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_log_file_validation_enabled", + "ec2_instance_managed_by_ssm", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "si-7", + "Name": "Software, Firmware, and Information Integrity (SI-7)", + "Description": "The organization employs integrity verification tools to detect unauthorized changes to [Assignment: organization-defined software, firmware, and information].", + "Attributes": [ + { + "ItemId": "si-7", + "Section": "System and Information Integrity (SI)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_log_file_validation_enabled" + ] + }, + { + "Id": "si-12", + "Name": "Information Handling and Retention (SI-12)", + "Description": "The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.", + "Attributes": [ + { + "ItemId": "si-12", + "Section": "System and Information Integrity (SI)", + "Service": "aws" + } + ], + "Checks": [ + "cloudwatch_log_group_retention_policy_specific_days_enabled", + "dynamodb_tables_pitr_enabled", + "dynamodb_tables_pitr_enabled", + "efs_have_backup_enabled", + "rds_instance_backup_enabled", + "rds_instance_backup_enabled", + "redshift_cluster_automated_snapshot", + "s3_bucket_object_versioning" + ] + } + ] +} diff --git a/prowler/compliance/aws/ffiec_aws.json b/prowler/compliance/aws/ffiec_aws.json new file mode 100644 index 00000000..2c293c2f --- /dev/null +++ b/prowler/compliance/aws/ffiec_aws.json @@ -0,0 +1,902 @@ +{ + "Framework": "FFIEC", + "Version": "", + "Provider": "AWS", + "Description": "In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council (FFIEC) developed the Cybersecurity Assessment Tool (Assessment), on behalf of its members, to help institutions identify their risks and determine their cybersecurity maturity.", + "Requirements": [ + { + "Id": "d1-g-it-b-1", + "Name": "D1.G.IT.B.1", + "Description": "An inventory of organizational assets (e.g., hardware, software, data, and systems hosted externally) is maintained.", + "Attributes": [ + { + "ItemId": "d1-g-it-b-1", + "Section": "Cyber Risk Management and Oversight (Domain 1)", + "SubSection": "Governance (G)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_managed_by_ssm", + "ec2_instance_older_than_specific_days", + "ec2_elastic_ip_unassgined" + ] + }, + { + "Id": "d1-rm-ra-b-2", + "Name": "D1.RM.RA.B.2", + "Description": "The risk assessment identifies Internet- based systems and high-risk transactions that warrant additional authentication controls.", + "Attributes": [ + { + "ItemId": "d1-rm-ra-b-2", + "Section": "Cyber Risk Management and Oversight (Domain 1)", + "SubSection": "Risk Management (RM)", + "Service": "aws" + } + ], + "Checks": [ + "guardduty_is_enabled" + ] + }, + { + "Id": "d1-rm-rm-b-1", + "Name": "D1.RM.Rm.B.1", + "Description": "An information security and business continuity risk management function(s) exists within the institution.", + "Attributes": [ + { + "ItemId": "d1-rm-rm-b-1", + "Section": "Cyber Risk Management and Oversight (Domain 1)", + "SubSection": "Risk Management (RM)", + "Service": "aws" + } + ], + "Checks": [ + "rds_instance_backup_enabled", + "rds_instance_backup_enabled", + "rds_instance_multi_az", + "redshift_cluster_automated_snapshot" + ] + }, + { + "Id": "d2-is-is-b-1", + "Name": "D2.IS.Is.B.1", + "Description": "Information security threats are gathered and shared with applicable internal employees.", + "Attributes": [ + { + "ItemId": "d2-is-is-b-1", + "Section": "Threat Intelligence and Collaboration (Domain 2)", + "SubSection": "Information Sharing (IS)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_cloudwatch_logging_enabled", + "guardduty_is_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "d2-ma-ma-b-1", + "Name": "D2.MA.Ma.B.1", + "Description": "Information security threats are gathered and shared with applicable internal employees.", + "Attributes": [ + { + "ItemId": "d2-ma-ma-b-1", + "Section": "Threat Intelligence and Collaboration (Domain 2)", + "SubSection": "Monitoring and Analyzing (MA)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "cloudwatch_log_group_retention_policy_specific_days_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "opensearch_service_domains_cloudwatch_logging_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "d2-ma-ma-b-2", + "Name": "D2.MA.Ma.B.2", + "Description": "Computer event logs are used for investigations once an event has occurred.", + "Attributes": [ + { + "ItemId": "d2-ma-ma-b-2", + "Section": "Threat Intelligence and Collaboration (Domain 2)", + "SubSection": "Monitoring and Analyzing (MA)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "opensearch_service_domains_cloudwatch_logging_enabled", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "d2-ti-ti-b-1", + "Name": "D2.TI.Ti.B.1", + "Description": "The institution belongs or subscribes to a threat and vulnerability information-sharing source(s) that provides information on threats (e.g., FS-ISAC, US- CERT).", + "Attributes": [ + { + "ItemId": "d2-ti-ti-b-1", + "Section": "Threat Intelligence and Collaboration (Domain 2)", + "SubSection": "Threat Intelligence (TI)", + "Service": "aws" + } + ], + "Checks": [ + "guardduty_is_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "d2-ti-ti-b-2", + "Name": "D2.TI.Ti.B.2", + "Description": "Threat information is used to monitor threats and vulnerabilities.", + "Attributes": [ + { + "ItemId": "d2-ti-ti-b-2", + "Section": "Threat Intelligence and Collaboration (Domain 2)", + "SubSection": "Threat Intelligence (TI)", + "Service": "aws" + } + ], + "Checks": [ + "guardduty_is_enabled", + "securityhub_enabled", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "d2-ti-ti-b-3", + "Name": "D2.TI.Ti.B.3", + "Description": "Threat information is used to enhance internal risk management and controls.", + "Attributes": [ + { + "ItemId": "d2-ti-ti-b-3", + "Section": "Threat Intelligence and Collaboration (Domain 2)", + "SubSection": "Threat Intelligence (TI)", + "Service": "aws" + } + ], + "Checks": [ + "guardduty_is_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "d3-cc-pm-b-1", + "Name": "D3.CC.PM.B.1", + "Description": "A patch management program is implemented and ensures that software and firmware patches are applied in a timely manner.", + "Attributes": [ + { + "ItemId": "d3-cc-pm-b-1", + "Section": "Cybersecurity Controls (Domain 3)", + "SubSection": "Corrective Controls (CC)", + "Service": "aws" + } + ], + "Checks": [ + "rds_instance_minor_version_upgrade_enabled", + "redshift_cluster_automatic_upgrades", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "d3-cc-pm-b-3", + "Name": "D3.CC.PM.B.3", + "Description": "Patch management reports are reviewed and reflect missing security patches.", + "Attributes": [ + { + "ItemId": "d3-cc-pm-b-3", + "Section": "Cybersecurity Controls (Domain 3)", + "SubSection": "Corrective Controls (CC)", + "Service": "aws" + } + ], + "Checks": [ + "rds_instance_minor_version_upgrade_enabled", + "redshift_cluster_automatic_upgrades", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "d3-dc-an-b-1", + "Name": "D3.DC.An.B.1", + "Description": "The institution is able to detect anomalous activities through monitoring across the environment.", + "Attributes": [ + { + "ItemId": "d3-dc-an-b-1", + "Section": "Cybersecurity Controls (Domain 3)", + "SubSection": "Detective Controls (DC)", + "Service": "aws" + } + ], + "Checks": [ + "guardduty_is_enabled", + "guardduty_no_high_severity_findings", + "securityhub_enabled" + ] + }, + { + "Id": "d3-dc-an-b-2", + "Name": "D3.DC.An.B.2", + "Description": "Customer transactions generating anomalous activity alerts are monitored and reviewed.", + "Attributes": [ + { + "ItemId": "d3-dc-an-b-2", + "Section": "Cybersecurity Controls (Domain 3)", + "SubSection": "Detective Controls (DC)", + "Service": "aws" + } + ], + "Checks": [ + "guardduty_is_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "d3-dc-an-b-3", + "Name": "D3.DC.An.B.3", + "Description": "Logs of physical and/or logical access are reviewed following events.", + "Attributes": [ + { + "ItemId": "d3-dc-an-b-3", + "Section": "Cybersecurity Controls (Domain 3)", + "SubSection": "Detective Controls (DC)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "opensearch_service_domains_cloudwatch_logging_enabled", + "rds_instance_integration_cloudwatch_logs", + "s3_bucket_server_access_logging_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "d3-dc-an-b-4", + "Name": "D3.DC.An.B.4", + "Description": "Access to critical systems by third parties is monitored for unauthorized or unusual activity.", + "Attributes": [ + { + "ItemId": "d3-dc-an-b-4", + "Section": "Cybersecurity Controls (Domain 3)", + "SubSection": "Detective Controls (DC)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "opensearch_service_domains_cloudwatch_logging_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "d3-dc-an-b-5", + "Name": "D3.DC.An.B.5", + "Description": "Elevated privileges are monitored.", + "Attributes": [ + { + "ItemId": "d3-dc-an-b-5", + "Section": "Cybersecurity Controls (Domain 3)", + "SubSection": "Detective Controls (DC)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled" + ] + }, + { + "Id": "d3-dc-ev-b-1", + "Name": "D3.DC.Ev.B.1", + "Description": "A normal network activity baseline is established.", + "Attributes": [ + { + "ItemId": "d3-dc-ev-b-1", + "Section": "Cybersecurity Controls (Domain 3)", + "SubSection": "Detective Controls (DC)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "redshift_cluster_audit_logging", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "d3-dc-ev-b-2", + "Name": "D3.DC.Ev.B.2", + "Description": "Mechanisms (e.g., antivirus alerts, log event alerts) are in place to alert management to potential attacks.", + "Attributes": [ + { + "ItemId": "d3-dc-ev-b-2", + "Section": "Cybersecurity Controls (Domain 3)", + "SubSection": "Detective Controls (DC)", + "Service": "aws" + } + ], + "Checks": [ + "guardduty_is_enabled" + ] + }, + { + "Id": "d3-dc-ev-b-3", + "Name": "D3.DC.Ev.B.3", + "Description": "Processes are in place to monitor for the presence of unauthorized users, devices, connections, and software.", + "Attributes": [ + { + "ItemId": "d3-dc-ev-b-3", + "Section": "Cybersecurity Controls (Domain 3)", + "SubSection": "Detective Controls (DC)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "guardduty_is_enabled", + "securityhub_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "d3-dc-th-b-1", + "Name": "D3.DC.Th.B.1", + "Description": "Independent testing (including penetration testing and vulnerability scanning) is conducted according to the risk assessment for external-facing systems and the internal network.", + "Attributes": [ + { + "ItemId": "d3-dc-th-b-1", + "Section": "Cybersecurity Controls (Domain 3)", + "SubSection": "Detective Controls (DC)", + "Service": "aws" + } + ], + "Checks": [ + "guardduty_is_enabled", + "securityhub_enabled", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "d3-pc-am-b-1", + "Name": "D3.PC.Am.B.1", + "Description": "Employee access is granted to systems and confidential data based on job responsibilities and the principles of least privilege.", + "Attributes": [ + { + "ItemId": "d3-pc-am-b-1", + "Section": "Cybersecurity Controls (Domain 3)", + "SubSection": "Preventative Controls (PC)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_profile_attached", + "iam_policy_no_administrative_privileges", + "iam_policy_attached_only_to_group_or_roles", + "iam_policy_no_administrative_privileges", + "iam_no_root_access_key" + ] + }, + { + "Id": "d3-pc-am-b-10", + "Name": "D3.PC.Am.B.10", + "Description": "Production and non-production environments are segregated to prevent unauthorized access or changes to information assets. (*N/A if no production environment exists at the institution or the institution's third party.)", + "Attributes": [ + { + "ItemId": "d3-pc-am-b-10", + "Section": "Cybersecurity Controls (Domain 3)", + "SubSection": "Preventative Controls (PC)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "d3-pc-am-b-12", + "Name": "D3.PC.Am.B.12", + "Description": "All passwords are encrypted in storage and in transit.", + "Attributes": [ + { + "ItemId": "d3-pc-am-b-12", + "Section": "Cybersecurity Controls (Domain 3)", + "SubSection": "Preventative Controls (PC)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_client_certificate_enabled", + "ec2_ebs_volume_encryption", + "ec2_ebs_default_encryption", + "efs_encryption_at_rest_enabled", + "opensearch_service_domains_encryption_at_rest_enabled", + "opensearch_service_domains_node_to_node_encryption_enabled", + "rds_instance_storage_encrypted", + "redshift_cluster_audit_logging", + "s3_bucket_default_encryption", + "s3_bucket_secure_transport_policy" + ] + }, + { + "Id": "d3-pc-am-b-13", + "Name": "D3.PC.Am.B.13", + "Description": "Confidential data is encrypted when transmitted across public or untrusted networks (e.g., Internet).", + "Attributes": [ + { + "ItemId": "d3-pc-am-b-13", + "Section": "Cybersecurity Controls (Domain 3)", + "SubSection": "Preventative Controls (PC)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_client_certificate_enabled", + "elbv2_insecure_ssl_ciphers", + "elb_ssl_listeners", + "s3_bucket_secure_transport_policy" + ] + }, + { + "Id": "d3-pc-am-b-15", + "Name": "D3.PC.Am.B.15", + "Description": "Remote access to critical systems by employees, contractors, and third parties uses encrypted connections and multifactor authentication.", + "Attributes": [ + { + "ItemId": "d3-pc-am-b-15", + "Section": "Cybersecurity Controls (Domain 3)", + "SubSection": "Preventative Controls (PC)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_client_certificate_enabled", + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_user_mfa_enabled_console_access", + "s3_bucket_secure_transport_policy" + ] + }, + { + "Id": "d3-pc-am-b-16", + "Name": "D3.PC.Am.B.16", + "Description": "Administrative, physical, or technical controls are in place to prevent users without administrative responsibilities from installing unauthorized software.", + "Attributes": [ + { + "ItemId": "d3-pc-am-b-16", + "Section": "Cybersecurity Controls (Domain 3)", + "SubSection": "Preventative Controls (PC)", + "Service": "aws" + } + ], + "Checks": [ + "iam_policy_no_administrative_privileges", + "iam_policy_no_administrative_privileges" + ] + }, + { + "Id": "d3-pc-am-b-2", + "Name": "D3.PC.Am.B.2", + "Description": "Employee access to systems and confidential data provides for separation of duties.", + "Attributes": [ + { + "ItemId": "d3-pc-am-b-2", + "Section": "Cybersecurity Controls (Domain 3)", + "SubSection": "Preventative Controls (PC)", + "Service": "aws" + } + ], + "Checks": [ + "iam_policy_no_administrative_privileges", + "iam_policy_no_administrative_privileges" + ] + }, + { + "Id": "d3-pc-am-b-3", + "Name": "D3.PC.Am.B.3", + "Description": "Elevated privileges (e.g., administrator privileges) are limited and tightly controlled (e.g., assigned to individuals, not shared, and require stronger password controls", + "Attributes": [ + { + "ItemId": "d3-pc-am-b-3", + "Section": "Cybersecurity Controls (Domain 3)", + "SubSection": "Preventative Controls (PC)", + "Service": "aws" + } + ], + "Checks": [ + "iam_policy_no_administrative_privileges", + "iam_policy_no_administrative_privileges", + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_no_root_access_key" + ] + }, + { + "Id": "d3-pc-am-b-6", + "Name": "D3.PC.Am.B.6", + "Description": "Identification and authentication are required and managed for access to systems, applications, and hardware.", + "Attributes": [ + { + "ItemId": "d3-pc-am-b-6", + "Section": "Cybersecurity Controls (Domain 3)", + "SubSection": "Preventative Controls (PC)", + "Service": "aws" + } + ], + "Checks": [ + "iam_password_policy_minimum_length_14", + "iam_password_policy_lowercase", + "iam_password_policy_number", + "iam_password_policy_number", + "iam_password_policy_symbol", + "iam_password_policy_uppercase", + "iam_policy_no_administrative_privileges", + "iam_policy_no_administrative_privileges", + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_rotate_access_key_90_days", + "iam_user_mfa_enabled_console_access", + "iam_user_mfa_enabled_console_access", + "iam_disable_90_days_credentials" + ] + }, + { + "Id": "d3-pc-am-b-7", + "Name": "D3.PC.Am.B.7", + "Description": "Access controls include password complexity and limits to password attempts and reuse.", + "Attributes": [ + { + "ItemId": "d3-pc-am-b-7", + "Section": "Cybersecurity Controls (Domain 3)", + "SubSection": "Preventative Controls (PC)", + "Service": "aws" + } + ], + "Checks": [ + "iam_password_policy_minimum_length_14", + "iam_password_policy_lowercase", + "iam_password_policy_number", + "iam_password_policy_number", + "iam_password_policy_symbol", + "iam_password_policy_uppercase" + ] + }, + { + "Id": "d3-pc-am-b-8", + "Name": "D3.PC.Am.B.8", + "Description": "All default passwords and unnecessary default accounts are changed before system implementation.", + "Attributes": [ + { + "ItemId": "d3-pc-am-b-8", + "Section": "Cybersecurity Controls (Domain 3)", + "SubSection": "Preventative Controls (PC)", + "Service": "aws" + } + ], + "Checks": [ + "iam_no_root_access_key" + ] + }, + { + "Id": "d3-pc-im-b-1", + "Name": "D3.PC.Im.B.1", + "Description": "Network perimeter defense tools (e.g., border router and firewall) are used.", + "Attributes": [ + { + "ItemId": "d3-pc-im-b-1", + "Section": "Cybersecurity Controls (Domain 3)", + "SubSection": "Preventative Controls (PC)", + "Service": "aws" + } + ], + "Checks": [ + "acm_certificates_expiration_check", + "apigateway_waf_acl_attached", + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "elbv2_waf_acl_attached", + "emr_cluster_master_nodes_no_public_ip", + "awslambda_function_not_publicly_accessible", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "s3_bucket_public_access", + "sagemaker_notebook_instance_without_direct_internet_access_configured", + "ec2_securitygroup_default_restrict_traffic", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "d3-pc-im-b-2", + "Name": "D3.PC.Im.B.2", + "Description": "Systems that are accessed from the Internet or by external parties are protected by firewalls or other similar devices.", + "Attributes": [ + { + "ItemId": "d3-pc-im-b-2", + "Section": "Cybersecurity Controls (Domain 3)", + "SubSection": "Preventative Controls (PC)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_waf_acl_attached", + "elbv2_waf_acl_attached", + "ec2_securitygroup_default_restrict_traffic", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "d3-pc-im-b-3", + "Name": "D3.PC.Im.B.3", + "Description": "All ports are monitored.", + "Attributes": [ + { + "ItemId": "d3-pc-im-b-3", + "Section": "Cybersecurity Controls (Domain 3)", + "SubSection": "Preventative Controls (PC)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "d3-pc-im-b-5", + "Name": "D3.PC.Im.B.5", + "Description": "Systems configurations (for servers, desktops, routers, etc.) follow industry standards and are enforced", + "Attributes": [ + { + "ItemId": "d3-pc-im-b-5", + "Section": "Cybersecurity Controls (Domain 3)", + "SubSection": "Preventative Controls (PC)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_managed_by_ssm", + "ssm_managed_compliant_patching", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "d3-pc-im-b-6", + "Name": "D3.PC.Im.B.6", + "Description": "Ports, functions, protocols and services are prohibited if no longer needed for business purposes.", + "Attributes": [ + { + "ItemId": "d3-pc-im-b-6", + "Section": "Cybersecurity Controls (Domain 3)", + "SubSection": "Preventative Controls (PC)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_securitygroup_default_restrict_traffic", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "d3-pc-im-b-7", + "Name": "D3.PC.Im.B.7", + "Description": "Access to make changes to systems configurations (including virtual machines and hypervisors) is controlled and monitored.", + "Attributes": [ + { + "ItemId": "d3-pc-im-b-7", + "Section": "Cybersecurity Controls (Domain 3)", + "SubSection": "Preventative Controls (PC)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "iam_policy_no_administrative_privileges", + "iam_policy_attached_only_to_group_or_roles", + "iam_policy_no_administrative_privileges" + ] + }, + { + "Id": "d3-pc-se-b-1", + "Name": "D3.PC.Se.B.1", + "Description": "Developers working for the institution follow secure program coding practices, as part of a system development life cycle (SDLC), that meet industry standards.", + "Attributes": [ + { + "ItemId": "d3-pc-se-b1", + "Section": "Cybersecurity Controls (Domain 3)", + "SubSection": "Preventative Controls (PC)", + "Service": "aws" + } + ], + "Checks": [] + }, + { + "Id": "d4-c-co-b-2", + "Name": "D4.C.Co.B.2", + "Description": "The institution ensures that third-party connections are authorized.", + "Attributes": [ + { + "ItemId": "d4-c-co-b-2", + "Section": "External Dependency Management (Domain 4)", + "SubSection": "Connections (C)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_securitygroup_default_restrict_traffic", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "d5-dr-de-b-1", + "Name": "D5.DR.De.B.1", + "Description": "Alert parameters are set for detecting information security incidents that prompt mitigating actions.", + "Attributes": [ + { + "ItemId": "d5-dr-de-b-1", + "Section": "Cyber Incident Management and Resilience (Domain 5)", + "SubSection": "Detection, Response, & Mitigation (DR)", + "Service": "aws" + } + ], + "Checks": [ + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured", + "guardduty_is_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "d5-dr-de-b-2", + "Name": "D5.DR.De.B.2", + "Description": "System performance reports contain information that can be used as a risk indicator to detect information security incidents.", + "Attributes": [ + { + "ItemId": "d5-dr-de-b-2", + "Section": "Cyber Incident Management and Resilience (Domain 5)", + "SubSection": "Detection, Response, & Mitigation (DR)", + "Service": "aws" + } + ], + "Checks": [] + }, + { + "Id": "d5-dr-de-b-3", + "Name": "D5.DR.De.B.3", + "Description": "Tools and processes are in place to detect, alert, and trigger the incident response program.", + "Attributes": [ + { + "ItemId": "d5-dr-de-b-3", + "Section": "Cyber Incident Management and Resilience (Domain 5)", + "SubSection": "Detection, Response, & Mitigation (DR)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured", + "elbv2_logging_enabled", + "elb_logging_enabled", + "guardduty_is_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "d5-er-es-b-4", + "Name": "D5.ER.Es.B.4", + "Description": "Incidents are classified, logged and tracked.", + "Attributes": [ + { + "ItemId": "d5-er-es-b-4", + "Section": "Cyber Incident Management and Resilience (Domain 5)", + "SubSection": "Escalation and Reporting (ER)", + "Service": "aws" + } + ], + "Checks": [ + "guardduty_no_high_severity_findings" + ] + }, + { + "Id": "d5-ir-pl-b-6", + "Name": "D5.IR.Pl.B.6", + "Description": "The institution plans to use business continuity, disaster recovery, and data backup programs to recover operations following an incident.", + "Attributes": [ + { + "ItemId": "d5-ir-pl-b-6", + "Section": "Cyber Incident Management and Resilience (Domain 5)", + "SubSection": "Incident Resilience Planning & Strategy (IR)", + "Service": "aws" + } + ], + "Checks": [ + "dynamodb_tables_pitr_enabled", + "elbv2_deletion_protection", + "rds_instance_enhanced_monitoring_enabled", + "rds_instance_backup_enabled", + "rds_instance_deletion_protection", + "rds_instance_multi_az", + "rds_instance_backup_enabled", + "s3_bucket_object_versioning" + ] + } + ] +} diff --git a/prowler/compliance/aws/gdpr_aws.json b/prowler/compliance/aws/gdpr_aws.json new file mode 100644 index 00000000..eada401e --- /dev/null +++ b/prowler/compliance/aws/gdpr_aws.json @@ -0,0 +1,126 @@ +{ + "Framework": "GDPR", + "Version": "", + "Provider": "AWS", + "Description": "The General Data Protection Regulation (GDPR) is a new European privacy law that became enforceable on May 25, 2018. The GDPR replaces the EU Data Protection Directive, also known as Directive 95/46/EC. It's intended to harmonize data protection laws throughout the European Union (EU). It does this by applying a single data protection law that's binding throughout each EU member state.", + "Requirements": [ + { + "Id": "article_25", + "Name": "Article 25 Data protection by design and by default", + "Description": "To obtain the latest version of the official guide, please visit https://gdpr-info.eu/art-25-gdpr/. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons. An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.", + "Attributes": [ + { + "ItemId": "article_25", + "Section": "Article 25 Data protection by design and by default", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_logs_s3_bucket_is_not_publicly_accessible", + "cloudtrail_multi_region_enabled", + "cloudtrail_logs_s3_bucket_access_logging_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "cloudtrail_kms_encryption_enabled", + "cloudtrail_log_file_validation_enabled", + "config_recorder_all_regions_enabled", + "iam_password_policy_minimum_length_14", + "iam_password_policy_lowercase", + "iam_password_policy_number", + "iam_password_policy_symbol", + "iam_password_policy_uppercase", + "iam_password_policy_reuse_24", + "iam_password_policy_minimum_length_14", + "iam_password_policy_lowercase", + "iam_password_policy_number", + "iam_password_policy_number", + "iam_password_policy_symbol", + "iam_password_policy_uppercase", + "iam_policy_no_administrative_privileges", + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_no_root_access_key", + "iam_support_role_created", + "iam_rotate_access_key_90_days", + "iam_user_mfa_enabled_console_access", + "iam_disable_90_days_credentials", + "kms_cmk_rotation_enabled", + "cloudwatch_log_metric_filter_for_s3_bucket_policy_changes", + "cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled", + "cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled", + "cloudwatch_log_metric_filter_authentication_failures", + "cloudwatch_log_metric_filter_sign_in_without_mfa", + "cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk", + "cloudwatch_log_metric_filter_policy_changes", + "cloudwatch_log_metric_filter_root_usage", + "cloudwatch_log_metric_filter_security_group_changes", + "cloudwatch_log_metric_filter_unauthorized_api_calls", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "article_30", + "Name": "Article 30 Records of processing activities", + "Description": " To obtain the latest version of the official guide, please visit https://www.privacy-regulation.eu/en/article-30-records-of-processing-activities-GDPR.htm. Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information like the name and contact details of the controller and where applicable, the joint controller, the controller's representative and the data protection officer, the purposes of the processing etc. Each processor and where applicable, the processor's representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable of the controller's or the processor's representative, and the data protection officer, where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards. The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form. The controller or the processor and, where applicable, the controller's or the processor's representative, shall make the record available to the supervisory authority on request. The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.", + "Attributes": [ + { + "ItemId": "article_30", + "Section": "Article 30 Records of processing activities", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "cloudtrail_kms_encryption_enabled", + "config_recorder_all_regions_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "kms_cmk_rotation_enabled", + "redshift_cluster_audit_logging", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "article_32", + "Name": "Article 32 Security of processing", + "Description": " To obtain the latest version of the official guide, please visit https://gdpr-info.eu/art-32-gdpr/. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article. The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.", + "Attributes": [ + { + "ItemId": "article_32", + "Section": "Article 32 Security of processing", + "Service": "aws" + } + ], + "Checks": [ + "acm_certificates_expiration_check", + "cloudfront_distributions_https_enabled", + "cloudtrail_kms_encryption_enabled", + "cloudtrail_log_file_validation_enabled", + "dynamodb_accelerator_cluster_encryption_enabled", + "dynamodb_tables_kms_cmk_encryption_enabled", + "dynamodb_tables_kms_cmk_encryption_enabled", + "ec2_ebs_volume_encryption", + "ec2_ebs_volume_encryption", + "efs_encryption_at_rest_enabled", + "elb_ssl_listeners", + "opensearch_service_domains_encryption_at_rest_enabled", + "opensearch_service_domains_node_to_node_encryption_enabled", + "cloudwatch_log_group_kms_encryption_enabled", + "rds_instance_storage_encrypted", + "rds_instance_backup_enabled", + "rds_instance_integration_cloudwatch_logs", + "rds_instance_storage_encrypted", + "redshift_cluster_automated_snapshot", + "redshift_cluster_audit_logging", + "s3_bucket_default_encryption", + "s3_bucket_default_encryption", + "s3_bucket_secure_transport_policy", + "sagemaker_notebook_instance_encryption_enabled", + "sns_topics_kms_encryption_at_rest_enabled" + ] + } + ] +} diff --git a/prowler/compliance/aws/gxp_21_cfr_part_11_aws.json b/prowler/compliance/aws/gxp_21_cfr_part_11_aws.json new file mode 100644 index 00000000..8d79ac89 --- /dev/null +++ b/prowler/compliance/aws/gxp_21_cfr_part_11_aws.json @@ -0,0 +1,347 @@ +{ + "Framework": "GxP-21-CFR-Part-11", + "Version": "", + "Provider": "AWS", + "Description": "GxP refers to the regulations and guidelines that are applicable to life sciences organizations that make food and medical products. Medical products that fall under this include medicines, medical devices, and medical software applications. The overall intent of GxP requirements is to ensure that food and medical products are safe for consumers. It's also to ensure the integrity of data that's used to make product-related safety decisions.", + "Requirements": [ + { + "Id": "11.10-a", + "Name": "11.10(a)", + "Description": "Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.", + "Attributes": [ + { + "ItemId": "11.10-a", + "Section": "11.10 Controls for closed systems", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_log_file_validation_enabled", + "dynamodb_tables_pitr_enabled", + "ec2_instance_managed_by_ssm", + "ec2_instance_older_than_specific_days", + "elbv2_deletion_protection", + "rds_instance_backup_enabled", + "rds_instance_deletion_protection", + "rds_instance_backup_enabled", + "rds_instance_multi_az", + "redshift_cluster_automated_snapshot", + "s3_bucket_object_versioning", + "ssm_managed_compliant_patching", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "11.10-c", + "Name": "11.10(c)", + "Description": "Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (c) Protection of records to enable their accurate and ready retrieval throughout the records retention period.", + "Attributes": [ + { + "ItemId": "11.10-c", + "Section": "11.10 Controls for closed systems", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_kms_encryption_enabled", + "cloudwatch_log_group_retention_policy_specific_days_enabled", + "rds_instance_storage_encrypted", + "rds_instance_storage_encrypted", + "rds_snapshots_public_access", + "redshift_cluster_audit_logging", + "redshift_cluster_public_access", + "s3_bucket_default_encryption", + "s3_bucket_secure_transport_policy", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_bucket_object_versioning", + "sagemaker_notebook_instance_without_direct_internet_access_configured", + "sagemaker_notebook_instance_encryption_enabled" + ] + }, + { + "Id": "11.10-d", + "Name": "11.10(d)", + "Description": "Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (d) Limiting system access to authorized individuals.", + "Attributes": [ + { + "ItemId": "11.10-d", + "Section": "11.10 Controls for closed systems", + "Service": "aws" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot", + "ec2_instance_profile_attached", + "ec2_instance_public_ip", + "ec2_instance_imdsv2_enabled", + "emr_cluster_master_nodes_no_public_ip", + "iam_password_policy_minimum_length_14", + "iam_password_policy_lowercase", + "iam_password_policy_number", + "iam_password_policy_number", + "iam_password_policy_symbol", + "iam_password_policy_uppercase", + "iam_policy_no_administrative_privileges", + "iam_policy_attached_only_to_group_or_roles", + "iam_policy_no_administrative_privileges", + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_no_root_access_key", + "iam_rotate_access_key_90_days", + "iam_user_mfa_enabled_console_access", + "iam_user_mfa_enabled_console_access", + "iam_disable_90_days_credentials", + "awslambda_function_not_publicly_accessible", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "s3_bucket_public_access", + "sagemaker_notebook_instance_without_direct_internet_access_configured", + "secretsmanager_automatic_rotation_enabled", + "ec2_securitygroup_default_restrict_traffic", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "11.10-e", + "Name": "11.10(e)", + "Description": "Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.", + "Attributes": [ + { + "ItemId": "11.10-d", + "Section": "11.10 Controls for closed systems", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "cloudwatch_log_group_retention_policy_specific_days_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "opensearch_service_domains_cloudwatch_logging_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "11.10-g", + "Name": "11.10(g)", + "Description": "Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand.", + "Attributes": [ + { + "ItemId": "11.10-g", + "Section": "11.10 Controls for closed systems", + "Service": "aws" + } + ], + "Checks": [ + "dynamodb_tables_kms_cmk_encryption_enabled", + "ec2_ebs_volume_encryption", + "ec2_ebs_public_snapshot", + "ec2_ebs_default_encryption", + "ec2_instance_profile_attached", + "ec2_instance_public_ip", + "ec2_instance_imdsv2_enabled", + "efs_encryption_at_rest_enabled", + "emr_cluster_master_nodes_no_public_ip", + "opensearch_service_domains_encryption_at_rest_enabled", + "opensearch_service_domains_node_to_node_encryption_enabled", + "iam_password_policy_minimum_length_14", + "iam_password_policy_lowercase", + "iam_password_policy_number", + "iam_password_policy_number", + "iam_password_policy_symbol", + "iam_password_policy_uppercase", + "iam_policy_no_administrative_privileges", + "iam_policy_attached_only_to_group_or_roles", + "iam_policy_no_administrative_privileges", + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_no_root_access_key", + "iam_rotate_access_key_90_days", + "iam_user_mfa_enabled_console_access", + "iam_user_mfa_enabled_console_access", + "iam_disable_90_days_credentials", + "awslambda_function_not_publicly_accessible", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "s3_bucket_public_access", + "sagemaker_notebook_instance_without_direct_internet_access_configured", + "secretsmanager_automatic_rotation_enabled", + "ec2_securitygroup_default_restrict_traffic", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "11.10-h", + "Name": "11.10(h)", + "Description": "Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (h) Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction.", + "Attributes": [ + { + "ItemId": "11.10-h", + "Section": "11.10 Controls for closed systems", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_managed_by_ssm", + "ssm_managed_compliant_patching", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "11.10-k", + "Name": "11.10(k)", + "Description": "Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (k) Use of appropriate controls over systems documentation including: (1) Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance. (2) Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation.", + "Attributes": [ + { + "ItemId": "11.10-k", + "Section": "11.10 Controls for closed systems", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "ec2_ebs_public_snapshot", + "emr_cluster_master_nodes_no_public_ip", + "rds_instance_integration_cloudwatch_logs", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_server_access_logging_enabled", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "sagemaker_notebook_instance_without_direct_internet_access_configured", + "ec2_securitygroup_default_restrict_traffic", + "ec2_networkacl_allow_ingress_any_port", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "11.30", + "Name": "11.30 Controls for open systems", + "Description": "Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, as appropriate, the confidentiality of electronic records from the point of their creation to the point of their receipt. Such procedures and controls shall include those identified in 11.10, as appropriate, and additional measures such as document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality.", + "Attributes": [ + { + "ItemId": "11.30", + "Section": "11.30 Controls for open systems", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_client_certificate_enabled", + "cloudtrail_kms_encryption_enabled", + "cloudtrail_log_file_validation_enabled", + "dynamodb_tables_kms_cmk_encryption_enabled", + "ec2_ebs_volume_encryption", + "ec2_ebs_default_encryption", + "efs_encryption_at_rest_enabled", + "elbv2_insecure_ssl_ciphers", + "elb_ssl_listeners", + "opensearch_service_domains_encryption_at_rest_enabled", + "opensearch_service_domains_node_to_node_encryption_enabled", + "kms_cmk_rotation_enabled", + "cloudwatch_log_group_kms_encryption_enabled", + "rds_instance_storage_encrypted", + "rds_instance_storage_encrypted", + "redshift_cluster_audit_logging", + "s3_bucket_default_encryption", + "s3_bucket_default_encryption", + "s3_bucket_secure_transport_policy", + "sagemaker_notebook_instance_encryption_enabled", + "sns_topics_kms_encryption_at_rest_enabled" + ] + }, + { + "Id": "11.200", + "Name": "11.200 Electronic signature components and controls", + "Description": "(a) Electronic signatures that are not based upon biometrics shall: (1) Employ at least two distinct identification components such as an identification code and password. (i) When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual. (ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components. (2) Be used only by their genuine owners; and (3) Be administered and executed to ensure that attempted use of an individual's electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals.", + "Attributes": [ + { + "ItemId": "11.200", + "Section": "11.200 Electronic signature components and controls", + "Service": "aws" + } + ], + "Checks": [ + "iam_password_policy_minimum_length_14", + "iam_password_policy_lowercase", + "iam_password_policy_number", + "iam_password_policy_number", + "iam_password_policy_symbol", + "iam_password_policy_uppercase", + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_no_root_access_key", + "iam_rotate_access_key_90_days", + "iam_user_mfa_enabled_console_access", + "iam_user_mfa_enabled_console_access" + ] + }, + { + "Id": "11.300-b", + "Name": "11.300(b)", + "Description": "Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include: (b) Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging).", + "Attributes": [ + { + "ItemId": "11.300-b", + "Section": "11.300 Controls for identification codes/passwords", + "Service": "aws" + } + ], + "Checks": [ + "iam_password_policy_minimum_length_14", + "iam_password_policy_lowercase", + "iam_password_policy_number", + "iam_password_policy_number", + "iam_password_policy_symbol", + "iam_password_policy_uppercase", + "iam_rotate_access_key_90_days", + "iam_disable_90_days_credentials", + "secretsmanager_automatic_rotation_enabled" + ] + }, + { + "Id": "11.300-d", + "Name": "11.300(d)", + "Description": "Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include: (d) Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management.", + "Attributes": [ + { + "ItemId": "11.300-d", + "Section": "11.300 Controls for identification codes/passwords", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "guardduty_is_enabled", + "securityhub_enabled" + ] + } + ] +} diff --git a/prowler/compliance/aws/gxp_eu_annex_11_aws.json b/prowler/compliance/aws/gxp_eu_annex_11_aws.json new file mode 100644 index 00000000..fdc28c39 --- /dev/null +++ b/prowler/compliance/aws/gxp_eu_annex_11_aws.json @@ -0,0 +1,281 @@ +{ + "Framework": "GxP-EU-Annex-11", + "Version": "", + "Provider": "AWS", + "Description": "The GxP EU Annex 11 framework is the European equivalent to the FDA 21 CFR part 11 framework in the United States. This annex applies to all forms of computerized systems that are used as part of Good Manufacturing Practices (GMP) regulated activities. A computerized system is a set of software and hardware components that together fulfill certain functionalities. The application should be validated and IT infrastructure should be qualified. Where a computerized system replaces a manual operation, there should be no resultant decrease in product quality, process control, or quality assurance. There should be no increase in the overall risk of the process.", + "Requirements": [ + { + "Id": "1-risk-management", + "Name": "1 Risk Management", + "Description": "Risk management should be applied throughout the lifecycle of the computerised system taking into account patient safety, data integrity and product quality. As part of a risk management system, decisions on the extent of validation and data integrity controls should be based on a justified and documented risk assessment of the computerised system.", + "Attributes": [ + { + "ItemId": "1-risk-management", + "Section": "General", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "5-data", + "Name": "5 Data", + "Description": "Computerised systems exchanging data electronically with other systems should include appropriate built-in checks for the correct and secure entry and processing of data, in order to minimize the risks.", + "Attributes": [ + { + "ItemId": "5-data", + "Section": "Operational Phase", + "Service": "aws" + } + ], + "Checks": [ + "dynamodb_tables_pitr_enabled", + "dynamodb_tables_pitr_enabled", + "efs_have_backup_enabled", + "rds_instance_backup_enabled", + "rds_instance_backup_enabled", + "rds_instance_backup_enabled", + "redshift_cluster_automated_snapshot", + "s3_bucket_object_versioning" + ] + }, + { + "Id": "7.1-data-storage-damage-protection", + "Name": "7.1 Data Storage - Damage Protection", + "Description": "Data should be secured by both physical and electronic means against damage. Stored data should be checked for accessibility, readability and accuracy. Access to data should be ensured throughout the retention period.", + "Attributes": [ + { + "ItemId": "7.1-data-storage-damage-protection", + "Section": "Operational Phase", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_kms_encryption_enabled", + "dynamodb_accelerator_cluster_encryption_enabled", + "dynamodb_tables_kms_cmk_encryption_enabled", + "dynamodb_tables_kms_cmk_encryption_enabled", + "dynamodb_tables_pitr_enabled", + "ec2_ebs_volume_encryption", + "ec2_ebs_default_encryption", + "efs_encryption_at_rest_enabled", + "eks_cluster_kms_cmk_encryption_in_secrets_enabled", + "opensearch_service_domains_encryption_at_rest_enabled", + "cloudwatch_log_group_kms_encryption_enabled", + "rds_instance_backup_enabled", + "rds_instance_storage_encrypted", + "rds_instance_backup_enabled", + "rds_instance_storage_encrypted", + "redshift_cluster_automated_snapshot", + "redshift_cluster_audit_logging", + "s3_bucket_default_encryption", + "s3_bucket_default_encryption", + "s3_bucket_object_versioning", + "sagemaker_notebook_instance_encryption_enabled", + "sns_topics_kms_encryption_at_rest_enabled" + ] + }, + { + "Id": "7.2-data-storage-backups", + "Name": "7.2 Data Storage - Backups", + "Description": "Regular back-ups of all relevant data should be done. Integrity and accuracy of backup data and the ability to restore the data should be checked during validation and monitored periodically.", + "Attributes": [ + { + "ItemId": "7.2-data-storage-backups", + "Section": "Operational Phase", + "Service": "aws" + } + ], + "Checks": [ + "rds_instance_backup_enabled", + "dynamodb_tables_pitr_enabled", + "dynamodb_tables_pitr_enabled", + "efs_have_backup_enabled", + "rds_instance_backup_enabled", + "rds_instance_backup_enabled", + "redshift_cluster_automated_snapshot", + "s3_bucket_object_versioning" + ] + }, + { + "Id": "8.2-printouts-data-changes", + "Name": "8.2 Printouts - Data Changes", + "Description": "For records supporting batch release it should be possible to generate printouts indicating if any of the data has been changed since the original entry.", + "Attributes": [ + { + "ItemId": "8.2-printouts-data-changes", + "Section": "Operational Phase", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled" + ] + }, + { + "Id": "9-audit-trails", + "Name": "9 Audit Trails", + "Description": "Consideration should be given, based on a risk assessment, to building into the system the creation of a record of all GMP-relevant changes and deletions (a system generated 'audit trail'). For change or deletion of GMP-relevant data the reason should be documented. Audit trails need to be available and convertible to a generally intelligible form and regularly reviewed.", + "Attributes": [ + { + "ItemId": "9-audit-trails", + "Section": "Operational Phase", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled" + ] + }, + { + "Id": "10-change-and-configuration-management", + "Name": "10 Change and Configuration Management", + "Description": "Any changes to a computerised system including system configurations should only be made in a controlled manner in accordance with a defined procedure.", + "Attributes": [ + { + "ItemId": "10-change-and-configuration-management", + "Section": "Operational Phase", + "Service": "aws" + } + ], + "Checks": [ + "config_recorder_all_regions_enabled" + ] + }, + { + "Id": "12.4-security-audit-trail", + "Name": "12.4 Security - Audit Trail", + "Description": "Management systems for data and for documents should be designed to record the identity of operators entering, changing, confirming or deleting data including date and time.", + "Attributes": [ + { + "ItemId": "12.4-security-audit-trail", + "Section": "Operational Phase", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled" + ] + }, + { + "Id": "16-business-continuity", + "Name": "16 Business Continuity", + "Description": "For the availability of computerised systems supporting critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (e.g. a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and appropriate for a particular system and the business process it supports. These arrangements should be adequately documented and tested.", + "Attributes": [ + { + "ItemId": "16-business-continuity", + "Section": "Operational Phase", + "Service": "aws" + } + ], + "Checks": [ + "dynamodb_tables_pitr_enabled", + "dynamodb_tables_pitr_enabled", + "efs_have_backup_enabled", + "efs_have_backup_enabled", + "rds_instance_backup_enabled", + "rds_instance_backup_enabled", + "rds_instance_backup_enabled", + "redshift_cluster_automated_snapshot", + "s3_bucket_object_versioning" + ] + }, + { + "Id": "17-archiving", + "Name": "17 Archiving", + "Description": "Data may be archived. This data should be checked for accessibility, readability and integrity. If relevant changes are to be made to the system (e.g. computer equipment or programs), then the ability to retrieve the data should be ensured and tested.", + "Attributes": [ + { + "ItemId": "17-archiving", + "Section": "Operational Phase", + "Service": "aws" + } + ], + "Checks": [ + "dynamodb_tables_pitr_enabled", + "dynamodb_tables_pitr_enabled", + "efs_have_backup_enabled", + "efs_have_backup_enabled", + "rds_instance_backup_enabled", + "rds_instance_backup_enabled", + "rds_instance_backup_enabled", + "redshift_cluster_automated_snapshot", + "s3_bucket_object_versioning" + ] + }, + { + "Id": "4.2-validation-documentation-change-control", + "Name": "4.2 Validation - Documentation Change Control", + "Description": "Validation documentation should include change control records (if applicable) and reports on any deviations observed during the validation process.", + "Attributes": [ + { + "ItemId": "4.2-validation-documentation-change-control", + "Section": "Project Phase", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled" + ] + }, + { + "Id": "4.5-validation-development-quality", + "Name": "4.5 Validation - Development Quality", + "Description": "The regulated user should take all reasonable steps, to ensure that the system has been developed in accordance with an appropriate quality management system. The supplier should be assessed appropriately.", + "Attributes": [ + { + "ItemId": "4.5-validation-development-quality", + "Section": "Project Phase", + "Service": "aws" + } + ], + "Checks": [ + "config_recorder_all_regions_enabled" + ] + }, + { + "Id": "4.6-validation-quality-performance", + "Name": "4.6 Validation - Quality and Performance", + "Description": "For the validation of bespoke or customised computerised systems there should be a process in place that ensures the formal assessment and reporting of quality and performance measures for all the life-cycle stages of the system.", + "Attributes": [ + { + "ItemId": "4.6-validation-quality-performance", + "Section": "Project Phase", + "Service": "aws" + } + ], + "Checks": [ + "config_recorder_all_regions_enabled" + ] + }, + { + "Id": "4.8-validation-data-transfer", + "Name": "4.8 Validation - Data Transfer", + "Description": "If data are transferred to another data format or system, validation should include checks that data are not altered in value and/or meaning during this migration process.", + "Attributes": [ + { + "ItemId": "4.8-validation-data-transfer", + "Section": "Project Phase", + "Service": "aws" + } + ], + "Checks": [ + "dynamodb_tables_pitr_enabled", + "dynamodb_tables_pitr_enabled", + "efs_have_backup_enabled", + "efs_have_backup_enabled", + "rds_instance_backup_enabled", + "rds_instance_backup_enabled", + "rds_instance_backup_enabled", + "redshift_cluster_automated_snapshot", + "s3_bucket_object_versioning" + ] + } + ] +} diff --git a/prowler/compliance/aws/hipaa_aws.json b/prowler/compliance/aws/hipaa_aws.json new file mode 100644 index 00000000..4cc7d157 --- /dev/null +++ b/prowler/compliance/aws/hipaa_aws.json @@ -0,0 +1,773 @@ +{ + "Framework": "HIPAA", + "Version": "", + "Provider": "AWS", + "Description": "The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is legislation that helps US workers to retain health insurance coverage when they change or lose jobs. The legislation also seeks to encourage electronic health records to improve the efficiency and quality of the US healthcare system through improved information sharing.", + "Requirements": [ + { + "Id": "164_308_a_1_ii_a", + "Name": "164.308(a)(1)(ii)(A) Risk analysis", + "Description": "Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.", + "Attributes": [ + { + "ItemId": "164_308_a_1_ii_a", + "Section": "164.308 Administrative Safeguards", + "Service": "aws" + } + ], + "Checks": [ + "config_recorder_all_regions_enabled", + "guardduty_is_enabled" + ] + }, + { + "Id": "164_308_a_1_ii_b", + "Name": "164.308(a)(1)(ii)(B) Risk Management", + "Description": "Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 164.306(a): Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.", + "Attributes": [ + { + "ItemId": "164_308_a_1_ii_b", + "Section": "164.308 Administrative Safeguards", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_kms_encryption_enabled", + "cloudtrail_log_file_validation_enabled", + "dynamodb_tables_pitr_enabled", + "ec2_ebs_public_snapshot", + "ec2_ebs_volume_encryption", + "ec2_ebs_default_encryption", + "ec2_instance_public_ip", + "ec2_instance_older_than_specific_days", + "efs_encryption_at_rest_enabled", + "elbv2_deletion_protection", + "elb_ssl_listeners", + "emr_cluster_master_nodes_no_public_ip", + "opensearch_service_domains_encryption_at_rest_enabled", + "iam_policy_no_administrative_privileges", + "iam_no_root_access_key", + "awslambda_function_not_publicly_accessible", + "awslambda_function_url_public", + "cloudwatch_log_group_kms_encryption_enabled", + "rds_instance_backup_enabled", + "rds_instance_storage_encrypted", + "rds_instance_multi_az", + "rds_instance_storage_encrypted", + "rds_snapshots_public_access", + "redshift_cluster_audit_logging", + "redshift_cluster_public_access", + "s3_bucket_default_encryption", + "s3_bucket_secure_transport_policy", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_bucket_object_versioning", + "s3_account_level_public_access_blocks", + "sagemaker_notebook_instance_without_direct_internet_access_configured", + "sagemaker_notebook_instance_encryption_enabled", + "sns_topics_kms_encryption_at_rest_enabled", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "164_308_a_1_ii_d", + "Name": "164.308(a)(1)(ii)(D) Information system activity review", + "Description": "Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.", + "Attributes": [ + { + "ItemId": "164_308_a_1_ii_d", + "Section": "164.308 Administrative Safeguards", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "cloudtrail_kms_encryption_enabled", + "cloudtrail_log_file_validation_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "guardduty_is_enabled", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "securityhub_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "164_308_a_3_i", + "Name": "164.308(a)(3)(i) Workforce security", + "Description": "Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information.", + "Attributes": [ + { + "ItemId": "164_308_a_3_i", + "Section": "164.308 Administrative Safeguards", + "Service": "aws" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "iam_policy_no_administrative_privileges", + "iam_no_root_access_key", + "awslambda_function_not_publicly_accessible", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "sagemaker_notebook_instance_without_direct_internet_access_configured" + ] + }, + { + "Id": "164_308_a_3_ii_a", + "Name": "164.308(a)(3)(ii)(A) Authorization and/or supervision", + "Description": "Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.", + "Attributes": [ + { + "ItemId": "164_308_a_3_ii_a", + "Section": "164.308 Administrative Safeguards", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "guardduty_is_enabled", + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_user_mfa_enabled_console_access", + "iam_user_mfa_enabled_console_access", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "securityhub_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "164_308_a_3_ii_b", + "Name": "164.308(a)(3)(ii)(B) Workforce clearance procedure", + "Description": "Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate.", + "Attributes": [ + { + "ItemId": "164_308_a_3_ii_b", + "Section": "164.308 Administrative Safeguards", + "Service": "iam" + } + ], + "Checks": [ + "iam_policy_no_administrative_privileges", + "iam_no_root_access_key", + "iam_disable_90_days_credentials" + ] + }, + { + "Id": "164_308_a_3_ii_c", + "Name": "164.308(a)(3)(ii)(C) Termination procedures", + "Description": "Implement procedures for terminating access to electronic protected health information when the employment of, or other arrangement with, a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(b).", + "Attributes": [ + { + "ItemId": "164_308_a_3_ii_c", + "Section": "164.308 Administrative Safeguards", + "Service": "iam" + } + ], + "Checks": [ + "iam_rotate_access_key_90_days" + ] + }, + { + "Id": "164_308_a_4_i", + "Name": "164.308(a)(4)(i) Information access management", + "Description": "Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part.", + "Attributes": [ + { + "ItemId": "164_308_a_4_i", + "Section": "164.308 Administrative Safeguards", + "Service": "iam" + } + ], + "Checks": [ + "iam_policy_no_administrative_privileges" + ] + }, + { + "Id": "164_308_a_4_ii_a", + "Name": "164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions", + "Description": "If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization.", + "Attributes": [ + { + "ItemId": "164_308_a_4_ii_a", + "Section": "164.308 Administrative Safeguards", + "Service": "aws" + } + ], + "Checks": [ + "acm_certificates_expiration_check", + "cloudfront_distributions_https_enabled", + "cloudtrail_kms_encryption_enabled", + "dynamodb_accelerator_cluster_encryption_enabled", + "dynamodb_tables_kms_cmk_encryption_enabled", + "dynamodb_tables_kms_cmk_encryption_enabled", + "ec2_ebs_volume_encryption", + "ec2_ebs_volume_encryption", + "ec2_ebs_default_encryption", + "efs_encryption_at_rest_enabled", + "eks_cluster_kms_cmk_encryption_in_secrets_enabled", + "elb_ssl_listeners", + "opensearch_service_domains_encryption_at_rest_enabled", + "opensearch_service_domains_node_to_node_encryption_enabled", + "cloudwatch_log_group_kms_encryption_enabled", + "rds_instance_storage_encrypted", + "rds_instance_backup_enabled", + "rds_instance_integration_cloudwatch_logs", + "rds_instance_storage_encrypted", + "redshift_cluster_automated_snapshot", + "redshift_cluster_audit_logging", + "s3_bucket_default_encryption", + "s3_bucket_default_encryption", + "sagemaker_notebook_instance_encryption_enabled", + "sns_topics_kms_encryption_at_rest_enabled" + ] + }, + { + "Id": "164_308_a_4_ii_b", + "Name": "164.308(a)(4)(ii)(B) Access authorization", + "Description": "Implement policies and procedures for granting access to electronic protected health information, As one illustrative example, through access to a workstation, transaction, program, process, or other mechanism.", + "Attributes": [ + { + "ItemId": "164_308_a_4_ii_b", + "Section": "164.308 Administrative Safeguards", + "Service": "iam" + } + ], + "Checks": [ + "iam_policy_no_administrative_privileges" + ] + }, + { + "Id": "164_308_a_4_ii_c", + "Name": "164.308(a)(4)(ii)(B) Access authorization", + "Description": "Implement policies and procedures that, based upon the covered entity's or the business associate's access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process.", + "Attributes": [ + { + "ItemId": "164_308_a_4_ii_c", + "Section": "164.308 Administrative Safeguards", + "Service": "aws" + } + ], + "Checks": [ + "iam_password_policy_reuse_24", + "iam_policy_no_administrative_privileges", + "iam_no_root_access_key", + "iam_rotate_access_key_90_days", + "iam_disable_90_days_credentials", + "secretsmanager_automatic_rotation_enabled" + ] + }, + { + "Id": "164_308_a_5_ii_b", + "Name": "164.308(a)(5)(ii)(B) Protection from malicious software", + "Description": "Procedures for guarding against, detecting, and reporting malicious software.", + "Attributes": [ + { + "ItemId": "164_308_a_5_ii_b", + "Section": "164.308 Administrative Safeguards", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_managed_by_ssm", + "ssm_managed_compliant_patching", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "164_308_a_5_ii_c", + "Name": "164.308(a)(5)(ii)(C) Log-in monitoring", + "Description": "Procedures for monitoring log-in attempts and reporting discrepancies.", + "Attributes": [ + { + "ItemId": "164_308_a_5_ii_c", + "Section": "164.308 Administrative Safeguards", + "Service": "aws" + } + ], + "Checks": [ + "guardduty_is_enabled", + "cloudwatch_log_metric_filter_authentication_failures", + "securityhub_enabled" + ] + }, + { + "Id": "164_308_a_5_ii_d", + "Name": "164.308(a)(5)(ii)(D) Password management", + "Description": "Procedures for creating, changing, and safeguarding passwords.", + "Attributes": [ + { + "ItemId": "164_308_a_5_ii_d", + "Section": "164.308 Administrative Safeguards", + "Service": "iam" + } + ], + "Checks": [ + "iam_password_policy_minimum_length_14", + "iam_password_policy_lowercase", + "iam_password_policy_number", + "iam_password_policy_symbol", + "iam_password_policy_uppercase", + "iam_password_policy_reuse_24", + "iam_rotate_access_key_90_days", + "iam_disable_90_days_credentials" + ] + }, + { + "Id": "164_308_a_6_i", + "Name": "164.308(a)(6)(i) Security incident procedures", + "Description": "Implement policies and procedures to address security incidents.", + "Attributes": [ + { + "ItemId": "164_308_a_6_i", + "Section": "164.308 Administrative Safeguards", + "Service": "aws" + } + ], + "Checks": [ + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured", + "guardduty_is_enabled", + "cloudwatch_log_metric_filter_authentication_failures", + "cloudwatch_log_metric_filter_root_usage", + "securityhub_enabled" + ] + }, + { + "Id": "164_308_a_6_ii", + "Name": "164.308(a)(6)(ii) Response and reporting", + "Description": "Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes.", + "Attributes": [ + { + "ItemId": "164_308_a_6_ii", + "Section": "164.308 Administrative Safeguards", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "guardduty_is_enabled", + "guardduty_no_high_severity_findings", + "cloudwatch_log_metric_filter_authentication_failures", + "cloudwatch_log_metric_filter_root_usage", + "s3_bucket_server_access_logging_enabled", + "securityhub_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "164_308_a_7_i", + "Name": "164.308(a)(7)(i) Contingency plan", + "Description": "Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.", + "Attributes": [ + { + "ItemId": "164_308_a_7_i", + "Section": "164.308 Administrative Safeguards", + "Service": "aws" + } + ], + "Checks": [ + "dynamodb_tables_pitr_enabled", + "dynamodb_tables_pitr_enabled", + "efs_have_backup_enabled", + "efs_have_backup_enabled", + "rds_instance_backup_enabled", + "rds_instance_backup_enabled", + "rds_instance_multi_az", + "rds_instance_backup_enabled", + "redshift_cluster_automated_snapshot", + "s3_bucket_object_versioning" + ] + }, + { + "Id": "164_308_a_7_ii_a", + "Name": "164.308(a)(7)(ii)(A) Data backup plan", + "Description": "Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.", + "Attributes": [ + { + "ItemId": "164_308_a_7_ii_a", + "Section": "164.308 Administrative Safeguards", + "Service": "aws" + } + ], + "Checks": [ + "dynamodb_tables_pitr_enabled", + "dynamodb_tables_pitr_enabled", + "efs_have_backup_enabled", + "efs_have_backup_enabled", + "rds_instance_backup_enabled", + "rds_instance_backup_enabled", + "rds_instance_multi_az", + "rds_instance_backup_enabled", + "redshift_cluster_automated_snapshot", + "s3_bucket_object_versioning" + ] + }, + { + "Id": "164_308_a_7_ii_b", + "Name": "164.308(a)(7)(ii)(B) Disaster recovery plan", + "Description": "Establish (and implement as needed) procedures to restore any loss of data.", + "Attributes": [ + { + "ItemId": "164_308_a_7_ii_b", + "Section": "164.308 Administrative Safeguards", + "Service": "aws" + } + ], + "Checks": [ + "dynamodb_tables_pitr_enabled", + "dynamodb_tables_pitr_enabled", + "efs_have_backup_enabled", + "efs_have_backup_enabled", + "rds_instance_backup_enabled", + "rds_instance_backup_enabled", + "rds_instance_multi_az", + "rds_instance_backup_enabled", + "redshift_cluster_automated_snapshot", + "s3_bucket_object_versioning" + ] + }, + { + "Id": "164_308_a_7_ii_c", + "Name": "164.308(a)(7)(ii)(C) Emergency mode operation plan", + "Description": "Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.", + "Attributes": [ + { + "ItemId": "164_308_a_7_ii_c", + "Section": "164.308 Administrative Safeguards", + "Service": "aws" + } + ], + "Checks": [ + "dynamodb_tables_pitr_enabled", + "dynamodb_tables_pitr_enabled", + "efs_have_backup_enabled", + "efs_have_backup_enabled", + "rds_instance_backup_enabled", + "rds_instance_backup_enabled", + "rds_instance_multi_az", + "rds_instance_backup_enabled", + "redshift_cluster_automated_snapshot", + "s3_bucket_object_versioning" + ] + }, + { + "Id": "164_308_a_8", + "Name": "164.308(a)(8) Evaluation", + "Description": "Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which an entity's security policies and procedures meet the requirements of this subpart.", + "Attributes": [ + { + "ItemId": "164_308_a_8", + "Section": "164.308 Administrative Safeguards", + "Service": "aws" + } + ], + "Checks": [ + "guardduty_is_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "164_312_a_1", + "Name": "164.312(a)(1) Access control", + "Description": "Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in 164.308(a)(4).", + "Attributes": [ + { + "ItemId": "164_312_a_1", + "Section": "164.312 Technical Safeguards", + "Service": "aws" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "emr_cluster_master_nodes_no_public_ip", + "iam_policy_no_administrative_privileges", + "iam_user_mfa_enabled_console_access", + "awslambda_function_not_publicly_accessible", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_bucket_public_access", + "sagemaker_notebook_instance_without_direct_internet_access_configured" + ] + }, + { + "Id": "164_312_a_2_i", + "Name": "164.312(a)(2)(i) Unique user identification", + "Description": "Assign a unique name and/or number for identifying and tracking user identity.", + "Attributes": [ + { + "ItemId": "164_312_a_2_i", + "Section": "164.312 Technical Safeguards", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "iam_no_root_access_key", + "s3_bucket_public_access" + ] + }, + { + "Id": "164_312_a_2_ii", + "Name": "164.312(a)(2)(ii) Emergency access procedure", + "Description": "Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.", + "Attributes": [ + { + "ItemId": "164_312_a_2_ii", + "Section": "164.312 Technical Safeguards", + "Service": "aws" + } + ], + "Checks": [ + "dynamodb_tables_pitr_enabled", + "dynamodb_tables_pitr_enabled", + "efs_have_backup_enabled", + "efs_have_backup_enabled", + "rds_instance_backup_enabled", + "rds_instance_backup_enabled", + "rds_instance_backup_enabled", + "redshift_cluster_automated_snapshot", + "s3_bucket_object_versioning" + ] + }, + { + "Id": "164_312_a_2_iv", + "Name": "164.312(a)(2)(iv) Encryption and decryption", + "Description": "Implement a mechanism to encrypt and decrypt electronic protected health information.", + "Attributes": [ + { + "ItemId": "164_312_a_2_iv", + "Section": "164.312 Technical Safeguards", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_kms_encryption_enabled", + "dynamodb_accelerator_cluster_encryption_enabled", + "dynamodb_tables_kms_cmk_encryption_enabled", + "dynamodb_tables_kms_cmk_encryption_enabled", + "ec2_ebs_volume_encryption", + "ec2_ebs_default_encryption", + "efs_encryption_at_rest_enabled", + "eks_cluster_kms_cmk_encryption_in_secrets_enabled", + "opensearch_service_domains_encryption_at_rest_enabled", + "kms_cmk_rotation_enabled", + "cloudwatch_log_group_kms_encryption_enabled", + "rds_instance_storage_encrypted", + "rds_instance_storage_encrypted", + "redshift_cluster_audit_logging", + "s3_bucket_default_encryption", + "s3_bucket_default_encryption", + "s3_bucket_secure_transport_policy", + "sagemaker_notebook_instance_encryption_enabled", + "sns_topics_kms_encryption_at_rest_enabled" + ] + }, + { + "Id": "164_312_b", + "Name": "164.312(b) Audit controls", + "Description": "Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.", + "Attributes": [ + { + "ItemId": "164_312_b", + "Section": "164.312 Technical Safeguards", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "cloudtrail_log_file_validation_enabled", + "cloudwatch_log_group_retention_policy_specific_days_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "guardduty_is_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "securityhub_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "164_312_c_1", + "Name": "164.312(c)(1) Integrity", + "Description": "Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.", + "Attributes": [ + { + "ItemId": "164_312_c_1", + "Section": "164.312 Technical Safeguards", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_kms_encryption_enabled", + "cloudtrail_log_file_validation_enabled", + "ec2_ebs_volume_encryption", + "s3_bucket_default_encryption", + "s3_bucket_secure_transport_policy", + "s3_bucket_object_versioning" + ] + }, + { + "Id": "164_312_c_2", + "Name": "164.312(c)(2) Mechanism to authenticate electronic protected health information", + "Description": "Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.", + "Attributes": [ + { + "ItemId": "164_312_c_2", + "Section": "164.312 Technical Safeguards", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_kms_encryption_enabled", + "cloudtrail_log_file_validation_enabled", + "ec2_ebs_volume_encryption", + "s3_bucket_default_encryption", + "s3_bucket_secure_transport_policy", + "s3_bucket_object_versioning", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "164_312_d", + "Name": "164.312(d) Person or entity authentication", + "Description": "Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.", + "Attributes": [ + { + "ItemId": "164_312_d", + "Section": "164.312 Technical Safeguards", + "Service": "iam" + } + ], + "Checks": [ + "iam_password_policy_reuse_24", + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_user_mfa_enabled_console_access", + "iam_user_mfa_enabled_console_access" + ] + }, + { + "Id": "164_312_e_1", + "Name": "164.312(e)(1) Transmission security", + "Description": "Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.", + "Attributes": [ + { + "ItemId": "164_312_e_1", + "Section": "164.312 Technical Safeguards", + "Service": "aws" + } + ], + "Checks": [ + "acm_certificates_expiration_check", + "cloudfront_distributions_https_enabled", + "elb_ssl_listeners", + "opensearch_service_domains_node_to_node_encryption_enabled", + "awslambda_function_not_publicly_accessible", + "s3_bucket_secure_transport_policy", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "164_312_e_2_i", + "Name": "164.312(e)(2)(i) Integrity controls", + "Description": "Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.", + "Attributes": [ + { + "ItemId": "164_312_e_2_i", + "Section": "164.312 Technical Safeguards", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "elb_ssl_listeners", + "guardduty_is_enabled", + "s3_bucket_secure_transport_policy", + "s3_bucket_server_access_logging_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "164_312_e_2_ii", + "Name": "164.312(e)(2)(ii) Encryption", + "Description": "Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.", + "Attributes": [ + { + "ItemId": "164_312_e_2_ii", + "Section": "164.312 Technical Safeguards", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_kms_encryption_enabled", + "dynamodb_accelerator_cluster_encryption_enabled", + "dynamodb_tables_kms_cmk_encryption_enabled", + "dynamodb_tables_kms_cmk_encryption_enabled", + "ec2_ebs_volume_encryption", + "ec2_ebs_default_encryption", + "efs_encryption_at_rest_enabled", + "eks_cluster_kms_cmk_encryption_in_secrets_enabled", + "elb_ssl_listeners", + "opensearch_service_domains_encryption_at_rest_enabled", + "cloudwatch_log_group_kms_encryption_enabled", + "rds_instance_storage_encrypted", + "rds_instance_storage_encrypted", + "redshift_cluster_audit_logging", + "s3_bucket_default_encryption", + "s3_bucket_default_encryption", + "s3_bucket_secure_transport_policy", + "sagemaker_notebook_instance_encryption_enabled", + "sns_topics_kms_encryption_at_rest_enabled" + ] + } + ] +} diff --git a/prowler/compliance/aws/nist_800_171_revision_2_aws.json b/prowler/compliance/aws/nist_800_171_revision_2_aws.json new file mode 100644 index 00000000..93055f57 --- /dev/null +++ b/prowler/compliance/aws/nist_800_171_revision_2_aws.json @@ -0,0 +1,1096 @@ +{ + "Framework": "NIST-800-171-Revision-2", + "Version": "", + "Provider": "AWS", + "Description": "The cybersecurity controls within NIST 800-171 safeguard CUI in the IT networks of government contractors and subcontractors. It defines the practices and procedures that government contractors must adhere to when their networks process or store CUI. NIST 800-171 only applies to those parts of a contractor’s network where CUI is present.", + "Requirements": [ + { + "Id": "3_1_1", + "Name": "3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems)", + "Description": "Access control policies (e.g., identity or role-based policies, control matrices, and cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, and domains) in systems. Access enforcement mechanisms can be employed at the application and service level to provide increased information security. Other systems include systems internal and external to the organization. This requirement focuses on account management for systems and applications. The definition of and enforcement of access authorizations, other than those determined by account type (e.g., privileged verses non-privileged) are addressed in requirement 3.1.2.", + "Attributes": [ + { + "ItemId": "3_1_1", + "Section": "3.1 Access Control", + "Service": "aws" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot", + "ec2_instance_profile_attached", + "ec2_instance_public_ip", + "eks_endpoints_not_publicly_accessible", + "emr_cluster_master_nodes_no_public_ip", + "iam_policy_no_administrative_privileges", + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_no_root_access_key", + "iam_user_mfa_enabled_console_access", + "iam_user_mfa_enabled_console_access", + "iam_disable_90_days_credentials", + "awslambda_function_not_publicly_accessible", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "sagemaker_notebook_instance_without_direct_internet_access_configured", + "ec2_securitygroup_default_restrict_traffic", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "3_1_2", + "Name": "3.1.2 Limit system access to the types of transactions and functions that authorized users are permitted to execute", + "Description": "Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. System account types include individual, shared, group, system, anonymous, guest, emergency, developer, manufacturer, vendor, and temporary. Other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-oforigin. In defining other account attributes, organizations consider system-related requirements (e.g., system upgrades scheduled maintenance,) and mission or business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements).", + "Attributes": [ + { + "ItemId": "3_1_2", + "Section": "3.1 Access Control", + "Service": "aws" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot", + "ec2_instance_profile_attached", + "ec2_instance_public_ip", + "eks_endpoints_not_publicly_accessible", + "emr_cluster_master_nodes_no_public_ip", + "iam_policy_no_administrative_privileges", + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_no_root_access_key", + "iam_user_mfa_enabled_console_access", + "iam_user_mfa_enabled_console_access", + "iam_disable_90_days_credentials", + "awslambda_function_not_publicly_accessible", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "sagemaker_notebook_instance_without_direct_internet_access_configured", + "ec2_securitygroup_default_restrict_traffic", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "3_1_3", + "Name": "3.1.3 Control the flow of CUI in accordance with approved authorizations", + "Description": "Information flow control regulates where information can travel within a system and between systems (versus who can access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include the following: keeping exportcontrolled information from being transmitted in the clear to the Internet; blocking outside traffic that claims to be from within the organization; restricting requests to the Internet that are not from the internal web proxy server; and limiting information transfers between organizations based on data structures and content. Organizations commonly use information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within systems and between interconnected systems. Flow control is based on characteristics of the information or the information path. Enforcement occurs in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict system services, provide a packetfiltering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Transferring information between systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners or stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes: prohibiting information transfers between interconnected systems (i.e., allowing access only); employing hardware mechanisms to enforce one-way information flows; and implementing trustworthy regrading mechanisms to reassign security attributes and security labels.", + "Attributes": [ + { + "ItemId": "3_1_3", + "Section": "3.1 Access Control", + "Service": "aws" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "eks_endpoints_not_publicly_accessible", + "emr_cluster_master_nodes_no_public_ip", + "awslambda_function_not_publicly_accessible", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "sagemaker_notebook_instance_without_direct_internet_access_configured", + "ec2_securitygroup_default_restrict_traffic", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "3_1_4", + "Name": "3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion", + "Description": "Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission functions and system support functions among different individuals or roles; conducting system support functions with different individuals (e.g., configuration management, quality assurance and testing, system management, programming, and network security); and ensuring that security personnel administering access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of organizational systems and system components when developing policy on separation of duties.", + "Attributes": [ + { + "ItemId": "3_1_4", + "Section": "3.1 Access Control", + "Service": "aws" + } + ], + "Checks": [ + "iam_policy_no_administrative_privileges", + "iam_no_root_access_key", + "iam_disable_90_days_credentials" + ] + }, + { + "Id": "3_1_5", + "Name": "3.1.5 Employ the principle of least privilege, including for specific security functions and privileged accounts", + "Description": "Organizations employ the principle of least privilege for specific duties and authorized accesses for users and processes. The principle of least privilege is applied with the goal of authorized privileges no higher than necessary to accomplish required organizational missions or business functions. Organizations consider the creation of additional processes, roles, and system accounts as necessary, to achieve least privilege. Organizations also apply least privilege to the development, implementation, and operation of organizational systems. Security functions include establishing system accounts, setting events to be logged, setting intrusion detection parameters, and configuring access authorizations (i.e., permissions, privileges). Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from having access to privileged information or functions. Organizations may differentiate in the application of this requirement between allowed privileges for local accounts and for domain accounts provided organizations retain the ability to control system configurations for key security parameters and as otherwise necessary to sufficiently mitigate risk.", + "Attributes": [ + { + "ItemId": "3_1_5", + "Section": "3.1 Access Control", + "Service": "aws" + } + ], + "Checks": [ + "iam_policy_no_administrative_privileges", + "iam_no_root_access_key", + "iam_disable_90_days_credentials" + ] + }, + { + "Id": "3_1_6", + "Name": "3.1.6 Use non-privileged accounts or roles when accessing nonsecurity functions", + "Description": "This requirement limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies such as role-based access control and where a change of role provides the same degree of assurance in the change of access authorizations for the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account.", + "Attributes": [ + { + "ItemId": "3_1_6", + "Section": "3.1 Access Control", + "Service": "aws" + } + ], + "Checks": [ + "iam_policy_no_administrative_privileges", + "iam_no_root_access_key" + ] + }, + { + "Id": "3_1_7", + "Name": "3.1.7 Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs", + "Description": "Privileged functions include establishing system accounts, performing system integrity checks, conducting patching operations, or administering cryptographic key management activities. Nonprivileged users are individuals that do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users. Note that this requirement represents a condition to be achieved by the definition of authorized privileges in 3.1.2. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Logging the use of privileged functions is one way to detect such misuse, and in doing so, help mitigate the risk from insider threats and the advanced persistent threat.", + "Attributes": [ + { + "ItemId": "3_1_7", + "Section": "3.1 Access Control", + "Service": "aws" + } + ], + "Checks": [ + "iam_policy_no_administrative_privileges", + "iam_no_root_access_key" + ] + }, + { + "Id": "3_1_12", + "Name": "3.1.12 Monitor and control remote access sessions", + "Description": "Remote access is access to organizational systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate control (e.g., employing encryption techniques for confidentiality protection), may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. VPNs with encrypted tunnels can affect the capability to adequately monitor network communications traffic for malicious code. Automated monitoring and control of remote access sessions allows organizations to detect cyberattacks and help to ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of system components (e.g., servers, workstations, notebook computers, smart phones, and tablets).", + "Attributes": [ + { + "ItemId": "3_1_12", + "Section": "3.1 Access Control", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "guardduty_is_enabled", + "rds_instance_integration_cloudwatch_logs", + "s3_bucket_server_access_logging_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "3_1_13", + "Name": "3.1.13 Employ cryptographic mechanisms to protect the confidentiality of remote access sessions", + "Description": "Cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography.", + "Attributes": [ + { + "ItemId": "3_1_13", + "Section": "3.1 Access Control", + "Service": "aws" + } + ], + "Checks": [ + "elb_ssl_listeners", + "s3_bucket_secure_transport_policy" + ] + }, + { + "Id": "3_1_14", + "Name": "3.1.14 Route remote access via managed access control points", + "Description": "Routing remote access through managed access control points enhances explicit, organizational control over such connections, reducing the susceptibility to unauthorized access to organizational systems resulting in the unauthorized disclosure of CUI.", + "Attributes": [ + { + "ItemId": "3_1_14", + "Section": "3.1 Access Control", + "Service": "aws" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "iam_user_mfa_enabled_console_access", + "awslambda_function_not_publicly_accessible", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_account_level_public_access_blocks", + "sagemaker_notebook_instance_without_direct_internet_access_configured", + "ec2_securitygroup_default_restrict_traffic", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "3_1_20", + "Name": "3.1.20 Verify and control/limit connections to and use of external systems", + "Description": "External systems are systems or components of systems for which organizations typically have no direct supervision and authority over the application of security requirements and controls or the determination of the effectiveness of implemented controls on those systems. External systems include personally owned systems, components, or devices and privately-owned computing and communications devices resident in commercial or public facilities. This requirement also addresses the use of external systems for the processing, storage, or transmission of CUI, including accessing cloud services (e.g., infrastructure as a service, platform as a service, or software as a service) from organizational systems. Organizations establish terms and conditions for the use of external systems in accordance with organizational security policies and procedures. Terms and conditions address as a minimum, the types of applications that can be accessed on organizational systems from external systems. If terms and conditions with the owners of external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems. This requirement recognizes that there are circumstances where individuals using external systems (e.g., contractors, coalition partners) need to access organizational systems. In those situations, organizations need confidence that the external systems contain the necessary controls so as not to compromise, damage, or otherwise harm organizational systems. Verification that the required controls have been effectively implemented can be achieved by third-party, independent assessments, attestations, or other means, depending on the assurance or confidence level required by organizations. Note that while “external” typically refers to outside of the organization's direct supervision and authority, that is not always the case. Regarding the protection of CUI across an organization, the organization may have systems that process CUI and others that do not. And among the systems that process CUI there are likely access restrictions for CUI that apply between systems. Therefore, from the perspective of a given system, other systems within the organization may be considered 'external' to that system.", + "Attributes": [ + { + "ItemId": "3_1_20", + "Section": "3.1 Access Control", + "Service": "aws" + } + ], + "Checks": [ + "s3_account_level_public_access_blocks", + "ec2_securitygroup_default_restrict_traffic", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "3_3_1", + "Name": "3.3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity", + "Description": "An event is any observable occurrence in a system, which includes unlawful or unauthorized system activity. Organizations identify event types for which a logging functionality is needed as those events which are significant and relevant to the security of systems and the environments in which those systems operate to meet specific and ongoing auditing needs. Event types can include password changes, failed logons or failed accesses related to systems, administrative privilege usage, or third-party credential usage. In determining event types that require logging, organizations consider the monitoring and auditing appropriate for each of the CUI security requirements. Monitoring and auditing requirements can be balanced with other system needs. For example, organizations may determine that systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit logging capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of event types, the logging necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented or cloudbased architectures. Audit record content that may be necessary to satisfy this requirement includes time stamps, source and destination addresses, user or process identifiers, event descriptions, success or fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the system after the event occurred). Detailed information that organizations may consider in audit records includes full text recording of privileged commands or the individual identities of group account users. Organizations consider limiting the additional audit log information to only that information explicitly needed for specific audit requirements. This facilitates the use of audit trails and audit logs by not including information that could potentially be misleading or could make it more difficult to locate information of interest. Audit logs are reviewed and analyzed as often as needed to provide important information to organizations to facilitate risk-based decision making.", + "Attributes": [ + { + "ItemId": "3_3_1", + "Section": "3.3 Audit and Accountability", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "cloudwatch_log_group_retention_policy_specific_days_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "guardduty_is_enabled", + "rds_instance_integration_cloudwatch_logs", + "s3_bucket_server_access_logging_enabled", + "securityhub_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "3_3_2", + "Name": "3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions", + "Description": "This requirement ensures that the contents of the audit record include the information needed to link the audit event to the actions of an individual to the extent feasible. Organizations consider logging for traceability including results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, communications at system boundaries, configuration settings, physical access, nonlocal maintenance, use of maintenance tools, temperature and humidity, equipment delivery and removal, system component inventory, use of mobile code, and use of Voice over Internet Protocol (VoIP).", + "Attributes": [ + { + "ItemId": "3_3_2", + "Section": "3.3 Audit and Accountability", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "guardduty_is_enabled", + "rds_instance_integration_cloudwatch_logs", + "s3_bucket_server_access_logging_enabled" + ] + }, + { + "Id": "3_3_3", + "Name": "3.3.3 Review and update logged events", + "Description": "The intent of this requirement is to periodically re-evaluate which logged events will continue to be included in the list of events to be logged. The event types that are logged by organizations may change over time. Reviewing and updating the set of logged event types periodically is necessary to ensure that the current set remains necessary and sufficient.", + "Attributes": [ + { + "ItemId": "3_3_3", + "Section": "3.3 Audit and Accountability", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "rds_instance_integration_cloudwatch_logs", + "s3_bucket_server_access_logging_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "3_3_4", + "Name": "3.3.4 Alert in the event of an audit logging process failure", + "Description": "Audit logging process failures include software and hardware errors, failures in the audit record capturing mechanisms, and audit record storage capacity being reached or exceeded. This requirement applies to each audit record data storage repository (i.e., distinct system component where audit records are stored), the total audit record storage capacity of organizations (i.e., all audit record data storage repositories combined), or both.", + "Attributes": [ + { + "ItemId": "3_3_4", + "Section": "3.3 Audit and Accountability", + "Service": "aws" + } + ], + "Checks": [ + "guardduty_is_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "3_3_5", + "Name": "3.3.5 Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity", + "Description": "Correlating audit record review, analysis, and reporting processes helps to ensure that they do not operate independently, but rather collectively. Regarding the assessment of a given organizational system, the requirement is agnostic as to whether this correlation is applied at the system level or at the organization level across all systems.", + "Attributes": [ + { + "ItemId": "3_3_5", + "Section": "3.3 Audit and Accountability", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_cloudwatch_logging_enabled", + "guardduty_is_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "3_3_8", + "Name": "3.3.8 Protect audit information and audit logging tools from unauthorized access, modification, and deletion", + "Description": "Audit information includes all information (e.g., audit records, audit log settings, and audit reports) needed to successfully audit system activity. Audit logging tools are those programs and devices used to conduct audit and logging activities. This requirement focuses on the technical protection of audit information and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by media protection and physical and environmental protection requirements.", + "Attributes": [ + { + "ItemId": "3_3_8", + "Section": "3.3 Audit and Accountability", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_kms_encryption_enabled", + "cloudtrail_log_file_validation_enabled", + "cloudwatch_log_group_kms_encryption_enabled", + "s3_bucket_default_encryption", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_bucket_object_versioning", + "s3_account_level_public_access_blocks" + ] + }, + { + "Id": "3_4_1", + "Name": "3.4.1 Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles", + "Description": "Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and changes to systems. Baseline configurations include information about system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and update and patch information on operating systems and applications; and configuration settings and parameters), network topology, and the logical placement of those components within the system architecture. Baseline configurations of systems also reflect the current enterprise architecture. Maintaining effective baseline configurations requires creating new baselines as organizational systems change over time. Baseline configuration maintenance includes reviewing and updating the baseline configuration when changes are made based on security risks and deviations from the established baseline configuration Organizations can implement centralized system component inventories that include components from multiple organizational systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., system association, system owner). Information deemed necessary for effective accountability of system components includes hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include manufacturer, device type, model, serial number, and physical location.", + "Attributes": [ + { + "ItemId": "3_4_1", + "Section": "3.4 Configuration Management", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "ec2_instance_managed_by_ssm", + "ec2_instance_older_than_specific_days", + "elbv2_deletion_protection", + "ssm_managed_compliant_patching", + "ec2_elastic_ip_unassgined", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "3_4_2", + "Name": "3.4.2 Establish and enforce security configuration settings for information technology products employed in organizational systems", + "Description": "Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture or functionality of the system. Information technology products for which security-related configuration settings can be defined include mainframe computers, servers, workstations, input and output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security parameters are those parameters impacting the security state of systems including the parameters required to satisfy other security requirements. Security parameters include: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the systems configuration baseline. Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors.", + "Attributes": [ + { + "ItemId": "3_4_2", + "Section": "3.4 Configuration Management", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_managed_by_ssm", + "ec2_instance_older_than_specific_days", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "3_4_6", + "Name": "3.4.6 Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities", + "Description": "Systems can provide a wide variety of functions and services. Some of the functions and services routinely provided by default, may not be necessary to support essential organizational missions, functions, or operations. It is sometimes convenient to provide multiple services from single system components. However, doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per component. Organizations review functions and services provided by systems or components of systems, to determine which functions and services are candidates for elimination. Organizations disable unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of devices, transfer of information, and tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services.", + "Attributes": [ + { + "ItemId": "3_4_6", + "Section": "3.4 Configuration Management", + "Service": "aws" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot", + "ec2_instance_managed_by_ssm", + "iam_policy_attached_only_to_group_or_roles", + "iam_policy_no_administrative_privileges", + "iam_no_root_access_key", + "awslambda_function_url_public", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "ssm_managed_compliant_patching", + "ec2_securitygroup_default_restrict_traffic" + ] + }, + { + "Id": "3_4_7", + "Name": "3.4.7 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services", + "Description": "Restricting the use of nonessential software (programs) includes restricting the roles allowed to approve program execution; prohibiting auto-execute; program blacklisting and whitelisting; or restricting the number of program instances executed at the same time. The organization makes a security-based determination which functions, ports, protocols, and/or services are restricted. Bluetooth, File Transfer Protocol (FTP), and peer-to-peer networking are examples of protocols organizations consider preventing the use of, restricting, or disabling.", + "Attributes": [ + { + "ItemId": "3_4_7", + "Section": "3.4 Configuration Management", + "Service": "aws" + } + ], + "Checks": [ + "ec2_securitygroup_default_restrict_traffic", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "3_4_9", + "Name": "3.4.9 Control and monitor user-installed software", + "Description": "Users can install software in organizational systems if provided the necessary privileges. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation through policies. Permitted software installations include updates and security patches to existing software and applications from organization-approved 'app stores.' Prohibited software installations may include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods, automated methods, or both.", + "Attributes": [ + { + "ItemId": "3_4_9", + "Section": "3.4 Configuration Management", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_managed_by_ssm", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "3_5_2", + "Name": "3.5.2 Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems", + "Description": "Individual authenticators include the following: passwords, key cards, cryptographic devices, and one-time password devices. Initial authenticator content is the actual content of the authenticator, for example, the initial password. In contrast, the requirements about authenticator content include the minimum password length. Developers ship system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. Systems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics including minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include certificates and passwords.", + "Attributes": [ + { + "ItemId": "3_5_2", + "Section": "3.5 Identification and Authentication", + "Service": "aws" + } + ], + "Checks": [ + "iam_root_mfa_enabled", + "iam_user_mfa_enabled_console_access", + "iam_user_mfa_enabled_console_access" + ] + }, + { + "Id": "3_5_3", + "Name": "3.5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts", + "Description": "Multifactor authentication requires the use of two or more different factors to authenticate. The factors are defined as something you know (e.g., password, personal identification number [PIN]); something you have (e.g., cryptographic identification device, token); or something you are (e.g., biometric). Multifactor authentication solutions that feature physical authenticators include hardware authenticators providing time-based or challenge-response authenticators and smart cards. In addition to authenticating users at the system level (i.e., at logon), organizations may also employ authentication mechanisms at the application level, when necessary, to provide increased information security. Access to organizational systems is defined as local access or network access. Local access is any access to organizational systems by users (or processes acting on behalf of users) where such access is obtained by direct connections without the use of networks. Network access is access to systems by users (or processes acting on behalf of users) where such access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. The use of encrypted virtual private networks for connections between organization-controlled and non-organization controlled endpoints may be treated as internal networks with regard to protecting the confidentiality of information.", + "Attributes": [ + { + "ItemId": "3_5_3", + "Section": "3.5 Identification and Authentication", + "Service": "aws" + } + ], + "Checks": [ + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_user_mfa_enabled_console_access", + "iam_user_mfa_enabled_console_access" + ] + }, + { + "Id": "3_5_5", + "Name": "3.5.5 Prevent reuse of identifiers for a defined period", + "Description": "Identifiers are provided for users, processes acting on behalf of users, or devices (3.5.1). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices.", + "Attributes": [ + { + "ItemId": "3_5_5", + "Section": "3.5 Identification and Authentication", + "Service": "aws" + } + ], + "Checks": [ + "iam_password_policy_reuse_24", + "iam_password_policy_expires_passwords_within_90_days_or_less" + ] + }, + { + "Id": "3_5_6", + "Name": "3.5.6 Disable identifiers after a defined period of inactivity", + "Description": "Inactive identifiers pose a risk to organizational information because attackers may exploit an inactive identifier to gain undetected access to organizational devices. The owners of the inactive accounts may not notice if unauthorized access to the account has been obtained.", + "Attributes": [ + { + "ItemId": "3_5_6", + "Section": "3.5 Identification and Authentication", + "Service": "aws" + } + ], + "Checks": [ + "iam_password_policy_reuse_24", + "iam_password_policy_expires_passwords_within_90_days_or_less", + "iam_disable_90_days_credentials" + ] + }, + { + "Id": "3_5_7", + "Name": "3.5.7 Enforce a minimum password complexity and change of characters when new passwords are created", + "Description": "This requirement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are used as part of multifactor authenticators. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords.", + "Attributes": [ + { + "ItemId": "3_5_7", + "Section": "3.5 Identification and Authentication", + "Service": "aws" + } + ], + "Checks": [ + "iam_password_policy_minimum_length_14", + "iam_password_policy_lowercase", + "iam_password_policy_number", + "iam_password_policy_symbol", + "iam_password_policy_uppercase", + "iam_password_policy_reuse_24", + "iam_password_policy_expires_passwords_within_90_days_or_less", + "iam_disable_90_days_credentials" + ] + }, + { + "Id": "3_5_8", + "Name": "3.5.8 Prohibit password reuse for a specified number of generations", + "Description": "Password lifetime restrictions do not apply to temporary passwords.", + "Attributes": [ + { + "ItemId": "3_5_8", + "Section": "3.5 Identification and Authentication", + "Service": "aws" + } + ], + "Checks": [ + "iam_password_policy_reuse_24", + "iam_password_policy_expires_passwords_within_90_days_or_less", + "iam_disable_90_days_credentials" + ] + }, + { + "Id": "3_5_10", + "Name": "3.5.10 Store and transmit only cryptographically-protected passwords", + "Description": "Cryptographically-protected passwords use salted one-way cryptographic hashes of passwords.", + "Attributes": [ + { + "ItemId": "3_5_10", + "Section": "3.5 Identification and Authentication", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_client_certificate_enabled", + "ec2_ebs_volume_encryption", + "elbv2_insecure_ssl_ciphers", + "opensearch_service_domains_node_to_node_encryption_enabled", + "s3_bucket_default_encryption", + "s3_bucket_secure_transport_policy" + ] + }, + { + "Id": "3_6_1", + "Name": "3.6.1 Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities", + "Description": "Organizations recognize that incident handling capability is dependent on the capabilities of organizational systems and the mission/business processes being supported by those systems. Organizations consider incident handling as part of the definition, design, and development of mission/business processes and systems. Incident-related information can be obtained from a variety of sources including audit monitoring, network monitoring, physical access monitoring, user and administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including mission/business owners, system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive. As part of user response activities, incident response training is provided by organizations and is linked directly to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, regular users may only need to know who to call or how to recognize an incident on the system; system administrators may require additional training on how to handle or remediate incidents; and incident responders may receive more specific training on forensics, reporting, system recovery, and restoration. Incident response training includes user training in the identification/reporting of suspicious activities from external and internal sources. User response activities also includes incident response assistance which may consist of help desk support, assistance groups, and access to forensics services or consumer redress services, when required.", + "Attributes": [ + { + "ItemId": "3_6_1", + "Section": "3.6 Incident Response", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured", + "cloudwatch_log_group_retention_policy_specific_days_enabled", + "guardduty_is_enabled", + "guardduty_no_high_severity_findings", + "rds_instance_integration_cloudwatch_logs", + "s3_bucket_server_access_logging_enabled", + "securityhub_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "3_6_2", + "Name": "3.6.2 Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization", + "Description": "Tracking and documenting system security incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics, evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources including incident reports, incident response teams, audit monitoring, network monitoring, physical access monitoring, and user/administrator reports. Reporting incidents addresses specific incident reporting requirements within an organization and the formal incident reporting requirements for the organization. Suspected security incidents may also be reported and include the receipt of suspicious email communications that can potentially contain malicious code. The types of security incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, Executive Orders, directives, regulations, and policies.", + "Attributes": [ + { + "ItemId": "3_6_2", + "Section": "3.6 Incident Response", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured", + "cloudwatch_log_group_retention_policy_specific_days_enabled", + "guardduty_is_enabled", + "guardduty_no_high_severity_findings", + "rds_instance_integration_cloudwatch_logs", + "s3_bucket_server_access_logging_enabled", + "securityhub_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "3_11_2", + "Name": "3.11.2 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified", + "Description": "Organizations determine the required vulnerability scanning for all system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. The vulnerabilities to be scanned are readily updated as new vulnerabilities are discovered, announced, and scanning methods developed. This process ensures that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in source code reviews and in a variety of tools (e.g., static analysis tools, web-based application scanners, binary analyzers) and in source code reviews. Vulnerability scanning includes: scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for improperly configured or incorrectly operating information flow control mechanisms. To facilitate interoperability, organizations consider using products that are Security Content Automated Protocol (SCAP)-validated, scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention, and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of system vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Security assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). In certain situations, the nature of the vulnerability scanning may be more intrusive or the system component that is the subject of the scanning may contain highly sensitive information. Privileged access authorization to selected system components facilitates thorough vulnerability scanning and protects the sensitive nature of such scanning.", + "Attributes": [ + { + "ItemId": "3_11_2", + "Section": "3.11 Risk Assessment", + "Service": "aws" + } + ], + "Checks": [ + "guardduty_is_enabled", + "guardduty_no_high_severity_findings", + "securityhub_enabled" + ] + }, + { + "Id": "3_11_3", + "Name": "3.11.3 Remediate vulnerabilities in accordance with risk assessments", + "Description": "Vulnerabilities discovered, for example, via the scanning conducted in response to 3.11.2, are remediated with consideration of the related assessment of risk. The consideration of risk influences the prioritization of remediation efforts and the level of effort to be expended in the remediation for specific vulnerabilities.", + "Attributes": [ + { + "ItemId": "3_11_3", + "Section": "3.11 Risk Assessment", + "Service": "aws" + } + ], + "Checks": [ + "guardduty_is_enabled", + "guardduty_no_high_severity_findings", + "securityhub_enabled" + ] + }, + { + "Id": "3_12_4", + "Name": "3.12.4 Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems", + "Description": "System security plans relate security requirements to a set of security controls. System security plans also describe, at a high level, how the security controls meet those security requirements, but do not provide detailed, technical descriptions of the design or implementation of the controls. System security plans contain sufficient information to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk if the plan is implemented as intended. Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. Federal agencies may consider the submitted system security plans and plans of action as critical inputs to an overall risk management decision to process, store, or transmit CUI on a system hosted by a nonfederal organization and whether it is advisable to pursue an agreement or contract with the nonfederal organization.", + "Attributes": [ + { + "ItemId": "3_12_4", + "Section": "3.12 Assessment, Authorization, and Monitoring", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_cloudwatch_logging_enabled", + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured", + "ec2_instance_imdsv2_enabled", + "guardduty_is_enabled", + "rds_instance_enhanced_monitoring_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "3_13_1", + "Name": "3.13.1 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems", + "Description": "Communications can be monitored, controlled, and protected at boundary components and by restricting or prohibiting interfaces in organizational systems. Boundary components include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a system security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Restricting or prohibiting interfaces in organizational systems includes restricting external web communications traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security requirements associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions.", + "Attributes": [ + { + "ItemId": "3_13_1", + "Section": "3.13 System and Communications Protection", + "Service": "aws" + } + ], + "Checks": [ + "acm_certificates_expiration_check", + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_log_file_validation_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "elbv2_waf_acl_attached", + "elb_ssl_listeners", + "guardduty_is_enabled", + "awslambda_function_not_publicly_accessible", + "rds_instance_integration_cloudwatch_logs", + "rds_instance_no_public_access", + "redshift_cluster_public_access", + "s3_bucket_secure_transport_policy", + "s3_bucket_server_access_logging_enabled", + "securityhub_enabled", + "vpc_flow_logs_enabled", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "3_13_2", + "Name": "3.13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems", + "Description": "Organizations apply systems security engineering principles to new development systems or systems undergoing major upgrades. For legacy systems, organizations apply systems security engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems. The application of systems security engineering concepts and principles helps to develop trustworthy, secure, and resilient systems and system components and reduce the susceptibility of organizations to disruptions, hazards, and threats. Examples of these concepts and principles include developing layered protections; establishing security policies, architecture, and controls as the foundation for design; incorporating security requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk. Organizations that apply security engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk-management decisions.", + "Attributes": [ + { + "ItemId": "3_13_2", + "Section": "3.13 System and Communications Protection", + "Service": "aws" + } + ], + "Checks": [ + "acm_certificates_expiration_check", + "cloudtrail_multi_region_enabled", + "dynamodb_tables_pitr_enabled", + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "efs_have_backup_enabled", + "elbv2_deletion_protection", + "emr_cluster_master_nodes_no_public_ip", + "awslambda_function_not_publicly_accessible", + "awslambda_function_url_public", + "rds_instance_backup_enabled", + "rds_instance_integration_cloudwatch_logs", + "rds_instance_multi_az", + "rds_instance_no_public_access", + "rds_instance_backup_enabled", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "sagemaker_notebook_instance_without_direct_internet_access_configured", + "ec2_securitygroup_default_restrict_traffic", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22" + ] + }, + { + "Id": "3_13_3", + "Name": "3.13.3 Separate user functionality from system management functionality", + "Description": "System management functionality includes functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. The separation of user functionality from system management functionality is physical or logical. Organizations can implement separation of system management functionality from user functionality by using different computers, different central processing units, different instances of operating systems, or different network addresses; virtualization techniques; or combinations of these or other methods, as appropriate. This type of separation includes web administrative interfaces that use separate authentication methods for users of any other system resources. Separation of system and user functionality may include isolating administrative interfaces on different domains and with additional access controls.", + "Attributes": [ + { + "ItemId": "3_13_3", + "Section": "3.13 System and Communications Protection", + "Service": "aws" + } + ], + "Checks": [ + "iam_policy_no_administrative_privileges" + ] + }, + { + "Id": "3_13_4", + "Name": "3.13.4 Prevent unauthorized and unintended information transfer via shared system resources", + "Description": "The control of information in shared system resources (e.g., registers, cache memory, main memory, hard disks) is also commonly referred to as object reuse and residual information protection. This requirement prevents information produced by the actions of prior users or roles (or the actions of processes acting on behalf of prior users or roles) from being available to any current users or roles (or current processes acting on behalf of current users or roles) that obtain access to shared system resources after those resources have been released back to the system. This requirement also applies to encrypted representations of information. This requirement does not address information remanence, which refers to residual representation of data that has been nominally deleted; covert channels (including storage or timing channels) where shared resources are manipulated to violate information flow restrictions; or components within systems for which there are only single users or roles.", + "Attributes": [ + { + "ItemId": "3_13_4", + "Section": "3.13 System and Communications Protection", + "Service": "aws" + } + ], + "Checks": [] + }, + { + "Id": "3_13_5", + "Name": "3.13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks", + "Description": "Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones (DMZs). DMZs are typically implemented with boundary control devices and techniques that include routers, gateways, firewalls, virtualization, or cloud-based technologies.", + "Attributes": [ + { + "ItemId": "3_13_5", + "Section": "3.13 System and Communications Protection", + "Service": "aws" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "elbv2_waf_acl_attached", + "elb_ssl_listeners", + "emr_cluster_master_nodes_no_public_ip", + "opensearch_service_domains_node_to_node_encryption_enabled", + "awslambda_function_not_publicly_accessible", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_secure_transport_policy", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "sagemaker_notebook_instance_without_direct_internet_access_configured", + "ec2_securitygroup_default_restrict_traffic", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "3_13_6", + "Name": "3.13.6 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception)", + "Description": "This requirement applies to inbound and outbound network communications traffic at the system boundary and at identified points within the system. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed.", + "Attributes": [ + { + "ItemId": "3_13_6", + "Section": "3.13 System and Communications Protection", + "Service": "aws" + } + ], + "Checks": [ + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "3_13_8", + "Name": "3.13.8 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards", + "Description": "This requirement applies to internal and external networks and any system components that can transmit information including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, and facsimile machines. Communication paths outside the physical protection of controlled boundaries are susceptible to both interception and modification. Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of the controls for transmission confidentiality. In such situations, organizations determine what types of confidentiality services are available in commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary safeguards and assurances of the effectiveness of the safeguards through appropriate contracting vehicles, organizations implement compensating safeguards or explicitly accept the additional risk. An example of an alternative physical safeguard is a protected distribution system (PDS) where the distribution medium is protected against electronic or physical intercept, thereby ensuring the confidentiality of the information being transmitted.", + "Attributes": [ + { + "ItemId": "3_13_8", + "Section": "3.13 System and Communications Protection", + "Service": "aws" + } + ], + "Checks": [ + "acm_certificates_expiration_check", + "elb_ssl_listeners", + "opensearch_service_domains_node_to_node_encryption_enabled", + "s3_bucket_secure_transport_policy" + ] + }, + { + "Id": "3_13_11", + "Name": "3.13.11 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI", + "Description": "Cryptography can be employed to support many security solutions including the protection of controlled unclassified information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number generation and hash generation. Cryptographic standards include FIPSvalidated cryptography and/or NSA-approved cryptography.", + "Attributes": [ + { + "ItemId": "3_13_11", + "Section": "3.13 System and Communications Protection", + "Service": "aws" + } + ], + "Checks": [ + "acm_certificates_expiration_check", + "cloudtrail_kms_encryption_enabled", + "dynamodb_tables_kms_cmk_encryption_enabled", + "ec2_ebs_volume_encryption", + "efs_encryption_at_rest_enabled", + "opensearch_service_domains_encryption_at_rest_enabled", + "cloudwatch_log_group_kms_encryption_enabled", + "rds_instance_storage_encrypted", + "s3_bucket_default_encryption", + "s3_bucket_secure_transport_policy", + "sagemaker_notebook_instance_encryption_enabled", + "sns_topics_kms_encryption_at_rest_enabled" + ] + }, + { + "Id": "3_13_15", + "Name": "3.13.15 Protect the authenticity of communications sessions", + "Description": "Authenticity protection includes protecting against man-in-the-middle attacks, session hijacking, and the insertion of false information into communications sessions. This requirement addresses communications protection at the session versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted.", + "Attributes": [ + { + "ItemId": "3_13_15", + "Section": "3.13 System and Communications Protection", + "Service": "aws" + } + ], + "Checks": [ + "elb_ssl_listeners" + ] + }, + { + "Id": "3_13_16", + "Name": "3.13.16 Protect the confidentiality of CUI at rest", + "Description": "Information at rest refers to the state of information when it is not in process or in transit and is located on storage devices as specific components of systems. The focus of protection at rest is not on the type of storage device or the frequency of access but rather the state of the information. Organizations can use different mechanisms to achieve confidentiality protections, including the use of cryptographic mechanisms and file share scanning. Organizations may also use other controls including secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved or continuous monitoring to identify malicious code at rest.", + "Attributes": [ + { + "ItemId": "3_13_16", + "Section": "3.13 System and Communications Protection", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_kms_encryption_enabled", + "dynamodb_tables_kms_cmk_encryption_enabled", + "dynamodb_tables_kms_cmk_encryption_enabled", + "ec2_ebs_volume_encryption", + "efs_encryption_at_rest_enabled", + "opensearch_service_domains_encryption_at_rest_enabled", + "cloudwatch_log_group_kms_encryption_enabled", + "rds_instance_storage_encrypted", + "s3_bucket_default_encryption", + "s3_bucket_secure_transport_policy", + "sagemaker_notebook_instance_encryption_enabled", + "sns_topics_kms_encryption_at_rest_enabled" + ] + }, + { + "Id": "3_14_1", + "Name": "3.14.1 Identify, report, and correct system flaws in a timely manner", + "Description": "Organizations identify systems that are affected by announced software and firmware flaws including potential vulnerabilities resulting from those flaws and report this information to designated personnel with information security responsibilities. Security-relevant updates include patches, service packs, hot fixes, and anti-virus signatures. Organizations address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations can take advantage of available resources such as the Common Weakness Enumeration (CWE) database or Common Vulnerabilities and Exposures (CVE) database in remediating flaws discovered in organizational systems. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types of remediation.", + "Attributes": [ + { + "ItemId": "3_14_1", + "Section": "3.14 System and Information integrity", + "Service": "aws" + } + ], + "Checks": [ + "guardduty_is_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "3_14_2", + "Name": "3.14.2 Provide protection from malicious code at designated locations within organizational systems", + "Description": "Designated locations include system entry and exit points which may include firewalls, remoteaccess servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways including web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. Malicious code protection mechanisms include anti-virus signature definitions and reputationbased technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include logic bombs, back doors, and other types of cyber-attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended.", + "Attributes": [ + { + "ItemId": "3_14_2", + "Section": "3.14 System and Information integrity", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_managed_by_ssm", + "guardduty_is_enabled", + "securityhub_enabled", + "ssm_managed_compliant_patching", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "3_14_3", + "Name": "3.14.3 Monitor system security alerts and advisories and take action in response", + "Description": "There are many publicly available sources of system security alerts and advisories. For example, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness across the federal government and in nonfederal organizations. Software vendors, subscription services, and industry information sharing and analysis centers (ISACs) may also provide security alerts and advisories. Examples of response actions include notifying relevant external organizations, for example, external mission/business partners, supply chain partners, external service providers, and peer or supporting organizations.", + "Attributes": [ + { + "ItemId": "3_14_3", + "Section": "3.14 System and Information integrity", + "Service": "aws" + } + ], + "Checks": [ + "guardduty_is_enabled", + "securityhub_enabled", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "3_14_4", + "Name": "3.14.4 Update malicious code protection mechanisms when new releases are available", + "Description": "Malicious code protection mechanisms include anti-virus signature definitions and reputationbased technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include logic bombs, back doors, and other types of cyber-attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended.", + "Attributes": [ + { + "ItemId": "3_14_4", + "Section": "3.14 System and Information integrity", + "Service": "aws" + } + ], + "Checks": [ + "guardduty_is_enabled" + ] + }, + { + "Id": "3_14_6", + "Name": "3.14.6 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks", + "Description": "System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the system. Organizations can monitor systems, for example, by observing audit record activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. System monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include selected perimeter locations and near server farms supporting critical applications, with such devices being employed at managed system interfaces. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of systems to support such objectives. System monitoring is an integral part of continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless. Unusual or unauthorized activities or conditions related to inbound/outbound communications traffic include internal traffic that indicates the presence of malicious code in systems or propagating among system components, the unauthorized exporting of information, or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other requirements.", + "Attributes": [ + { + "ItemId": "3_14_6", + "Section": "3.14 System and Information integrity", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "guardduty_is_enabled", + "rds_instance_integration_cloudwatch_logs", + "s3_bucket_server_access_logging_enabled", + "securityhub_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "3_14_7", + "Name": "3.14.7 Identify unauthorized use of organizational systems", + "Description": "System monitoring includes external and internal monitoring. System monitoring can detect unauthorized use of organizational systems. System monitoring is an integral part of continuous monitoring and incident response programs. Monitoring is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Output from system monitoring serves as input to continuous monitoring and incident response programs. Unusual/unauthorized activities or conditions related to inbound and outbound communications traffic include internal traffic that indicates the presence of malicious code in systems or propagating among system components, the unauthorized exporting of information, or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other requirements.", + "Attributes": [ + { + "ItemId": "3_14_7", + "Section": "3.14 System and Information integrity", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "guardduty_is_enabled", + "rds_instance_integration_cloudwatch_logs", + "s3_bucket_server_access_logging_enabled", + "securityhub_enabled", + "vpc_flow_logs_enabled" + ] + } + ] +} diff --git a/prowler/compliance/aws/nist_800_53_revision_4_aws.json b/prowler/compliance/aws/nist_800_53_revision_4_aws.json new file mode 100644 index 00000000..1f064262 --- /dev/null +++ b/prowler/compliance/aws/nist_800_53_revision_4_aws.json @@ -0,0 +1,1247 @@ +{ + "Framework": "NIST-800-53-Revision-4", + "Version": "", + "Provider": "AWS", + "Description": "NIST 800-53 is a regulatory standard that defines the minimum baseline of security controls for all U.S. federal information systems except those related to national security. The controls defined in this standard are customizable and address a diverse set of security and privacy requirements.", + "Requirements": [ + { + "Id": "ac_2_1", + "Name": "AC-2(1) Automated System Account Management", + "Description": "Access control policies (e.g., identity or role-based policies, control matrices, and cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, and domains) in systems. Access enforcement mechanisms can be employed at the application and service level to provide increased information security. Other systems include systems internal and external to the organization. This requirement focuses on account management for systems and applications. The definition of and enforcement of access authorizations, other than those determined by account type (e.g., privileged verses non-privileged) are addressed in requirement 3.1.2.", + "Attributes": [ + { + "ItemId": "ac_2_1", + "Section": "Access Control (AC)", + "SubSection": "Account Management (AC-2)", + "Service": "aws" + } + ], + "Checks": [ + "guardduty_is_enabled", + "iam_password_policy_reuse_24", + "iam_rotate_access_key_90_days", + "iam_disable_90_days_credentials", + "securityhub_enabled" + ] + }, + { + "Id": "ac_2_3", + "Name": "AC-2(3) Disable Inactive Accounts", + "Description": "The information system automatically disables inactive accounts after 90 days for user accounts.", + "Attributes": [ + { + "ItemId": "ac_2_3", + "Section": "Access Control (AC)", + "SubSection": "Account Management (AC-2)", + "Service": "aws" + } + ], + "Checks": [ + "iam_disable_90_days_credentials" + ] + }, + { + "Id": "ac_2_4", + "Name": "AC-2(4) Automated Audit Actions", + "Description": "The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [Assignment: organization-defined personnel or roles].", + "Attributes": [ + { + "ItemId": "ac_2_4", + "Section": "Access Control (AC)", + "SubSection": "Account Management (AC-2)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured", + "guardduty_is_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "securityhub_enabled" + ] + }, + { + "Id": "ac_2_12", + "Name": "AC-2(12) Account Monitoring", + "Description": "Monitors and reports atypical usage of information system accounts to organization-defined personnel or roles.", + "Attributes": [ + { + "ItemId": "ac_2_12", + "Section": "Access Control (AC)", + "SubSection": "Account Management (AC-2)", + "Service": "aws" + } + ], + "Checks": [ + "guardduty_is_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "ac_2", + "Name": "Account Management (AC-2)", + "Description": "Manage system accounts, group memberships, privileges, workflow, notifications, deactivations, and authorizations.", + "Attributes": [ + { + "ItemId": "ac_2", + "Section": "Access Control (AC)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "guardduty_is_enabled", + "iam_password_policy_reuse_24", + "iam_policy_no_administrative_privileges", + "iam_root_mfa_enabled", + "iam_no_root_access_key", + "iam_rotate_access_key_90_days", + "iam_disable_90_days_credentials", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "ac_3", + "Name": "Access Enforcement (AC-3)", + "Description": "The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.", + "Attributes": [ + { + "ItemId": "ac_3", + "Section": "Access Control (AC)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot", + "iam_policy_no_administrative_privileges", + "iam_no_root_access_key", + "iam_disable_90_days_credentials", + "awslambda_function_url_public", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "sagemaker_notebook_instance_without_direct_internet_access_configured", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_bucket_public_access" + ] + }, + { + "Id": "ac_4", + "Name": "Information Flow Enforcement (AC-4)", + "Description": "The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on organization-defined information flow control policies.", + "Attributes": [ + { + "ItemId": "ac_4", + "Section": "Access Control (AC)", + "Service": "aws" + } + ], + "Checks": [ + "acm_certificates_expiration_check", + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "emr_cluster_master_nodes_no_public_ip", + "awslambda_function_not_publicly_accessible", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_bucket_public_access", + "sagemaker_notebook_instance_without_direct_internet_access_configured", + "ec2_securitygroup_default_restrict_traffic", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "ac_5", + "Name": "Separation Of Duties (AC-5)", + "Description": "Separate duties of individuals to prevent malevolent activity. automate separation of duties and access authorizations.", + "Attributes": [ + { + "ItemId": "ac_5", + "Section": "Access Control (AC)", + "Service": "aws" + } + ], + "Checks": [ + "iam_policy_no_administrative_privileges" + ] + }, + { + "Id": "ac_6_10", + "Name": "AC-6(10) Prohibit Non-Privileged Users From Executing Privileged Functions", + "Description": "The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.", + "Attributes": [ + { + "ItemId": "ac_6_10", + "Section": "Access Control (AC)", + "SubSection": "Least Privilege (AC-6)", + "Service": "iam" + } + ], + "Checks": [ + "iam_no_root_access_key" + ] + }, + { + "Id": "ac_6", + "Name": "Least Privilege (AC-6)", + "Description": "The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.", + "Attributes": [ + { + "ItemId": "ac_6", + "Section": "Access Control (AC)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "ec2_instance_imdsv2_enabled", + "iam_policy_attached_only_to_group_or_roles", + "iam_policy_no_administrative_privileges", + "iam_no_root_access_key", + "iam_disable_90_days_credentials", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_bucket_public_access", + "sagemaker_notebook_instance_without_direct_internet_access_configured" + ] + }, + { + "Id": "ac_17_1", + "Name": "AC-17(1) Automated Monitoring/Control", + "Description": "The information system monitors and controls remote access methods.", + "Attributes": [ + { + "ItemId": "ac_17_1", + "Section": "Access Control (AC)", + "Service": "aws" + } + ], + "Checks": [ + "guardduty_is_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "ac_17_2", + "Name": "AC-17(2) Protection Of Confidentiality/Integrity Using Encryption", + "Description": "The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.", + "Attributes": [ + { + "ItemId": "ac_17_2", + "Section": "Access Control (AC)", + "Service": "aws" + } + ], + "Checks": [ + "acm_certificates_expiration_check", + "elb_ssl_listeners", + "s3_bucket_secure_transport_policy" + ] + }, + { + "Id": "ac_17_3", + "Name": "AC-17(3) Managed Access Control Points", + "Description": "The information system routes all remote accesses through organization-defined managed network access control points.", + "Attributes": [ + { + "ItemId": "ac_17_3", + "Section": "Access Control (AC)", + "Service": "vpc" + } + ], + "Checks": [] + }, + { + "Id": "ac_21", + "Name": "Information Sharing (AC-21)", + "Description": "Facilitate information sharing. Enable authorized users to grant access to partners.", + "Attributes": [ + { + "ItemId": "ac_21", + "Section": "Access Control (AC)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "emr_cluster_master_nodes_no_public_ip", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_bucket_public_access", + "sagemaker_notebook_instance_without_direct_internet_access_configured" + ] + }, + { + "Id": "au_2", + "Name": "Event Logging (AU-2)", + "Description": "Automate security audit function with other organizational entities. Enable mutual support of audit of auditable events.", + "Attributes": [ + { + "ItemId": "au_2", + "Section": "Audit and Accountability (AU)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "au_3", + "Name": "Content of Audit Records (AU-3)", + "Description": "The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.", + "Attributes": [ + { + "ItemId": "au_3", + "Section": "Audit and Accountability (AU)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "au_6_1", + "Name": "AU-6(1) Process Integration", + "Description": "The organization employs automated mechanisms to integrate audit review, analysis,and reporting processes to support organizational processes for investigation and response to suspicious activities.", + "Attributes": [ + { + "ItemId": "au_6_1", + "Section": "Audit and Accountability (AU)", + "SubSection": "Audit Review, Analysis And Reporting (AU-6)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_cloudwatch_logging_enabled", + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured", + "guardduty_is_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "au_6_3", + "Name": "AU-6(3) Correlate Audit Repositories", + "Description": "The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness.", + "Attributes": [ + { + "ItemId": "au_6_3", + "Section": "Audit and Accountability (AU)", + "SubSection": "Audit Review, Analysis And Reporting (AU-6)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_cloudwatch_logging_enabled", + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured", + "guardduty_is_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "au_7_1", + "Name": "AU-7(1) Automatic Processing", + "Description": "The information system provides the capability to process audit records for events of interest based on [Assignment: organization-defined audit fields within audit records].", + "Attributes": [ + { + "ItemId": "au_7_1", + "Section": "Audit and Accountability (AU)", + "Service": "aws" + } + ], + "Checks": [ + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured", + "cloudtrail_cloudwatch_logging_enabled" + ] + }, + { + "Id": "au_9_2", + "Name": "AU-9(2) Audit Backup On Separate Physical Systems / Components", + "Description": "The information system backs up audit records [Assignment: organization-defined frequency] onto a physically different system or system component than the system or component being audited.", + "Attributes": [ + { + "ItemId": "au_9_2", + "Section": "Audit and Accountability (AU)", + "SubSection": "Protection of Audit Information (AU-9)", + "Service": "s3" + } + ], + "Checks": [] + }, + { + "Id": "au_9", + "Name": "Protection of Audit Information (AU-9)", + "Description": "The information system protects audit information and audit tools from unauthorized access, modification, and deletion.", + "Attributes": [ + { + "ItemId": "au_9", + "Section": "Audit and Accountability (AU)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_kms_encryption_enabled", + "cloudwatch_log_group_kms_encryption_enabled" + ] + }, + { + "Id": "au_11", + "Name": "Audit Record Retention (AU-11)", + "Description": "The organization retains audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.", + "Attributes": [ + { + "ItemId": "au_11", + "Section": "Audit and Accountability (AU)", + "Service": "cloudwatch" + } + ], + "Checks": [ + "cloudwatch_log_group_retention_policy_specific_days_enabled" + ] + }, + { + "Id": "au_12", + "Name": "Audit Generation (AU-12)", + "Description": "Audit events defined in AU-2. Allow trusted personnel to select which events to audit. Generate audit records for events.", + "Attributes": [ + { + "ItemId": "au_12", + "Section": "Audit and Accountability (AU)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "ca_7", + "Name": "Continuous Monitoring (CA-7)", + "Description": "Continuously monitor configuration management processes. Determine security impact, environment and operational risks.", + "Attributes": [ + { + "ItemId": "ca_7", + "Section": "Security Assessment And Authorization (CA)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_cloudwatch_logging_enabled", + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured", + "ec2_instance_imdsv2_enabled", + "guardduty_is_enabled", + "rds_instance_enhanced_monitoring_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "cm_2", + "Name": "Baseline Configuration (CM-2)", + "Description": "The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.", + "Attributes": [ + { + "ItemId": "cm_2", + "Section": "Configuration Management (CM)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "ec2_instance_managed_by_ssm", + "ec2_instance_older_than_specific_days", + "elbv2_deletion_protection", + "ssm_managed_compliant_patching", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "cm_7", + "Name": "Least Functionality (CM-7)", + "Description": "The organization configures the information system to provide only essential capabilities and prohibits or restricts the use of the functions, ports, protocols, and/or services.", + "Attributes": [ + { + "ItemId": "cm_7", + "Section": "Configuration Management (CM)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_managed_by_ssm", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "cm_8_1", + "Name": "CM-8(1) Updates During Installation / Removals", + "Description": "The organization develops and documents an inventory of information system components that accurately reflects the current information system, includes all components within the authorization boundary of the information system, is at the level of granularity deemed necessary for tracking and reporting and reviews and updates the information system component inventory.", + "Attributes": [ + { + "ItemId": "cm_8_1", + "Section": "Configuration Management (CM)", + "SubSection": "Information System Component Inventory (CM-8)", + "Service": "ec2" + } + ], + "Checks": [ + "ec2_instance_managed_by_ssm" + ] + }, + { + "Id": "cm_8_3", + "Name": "CM-8(3) Automated Unauthorized Component Detection", + "Description": "The organization employs automated mechanisms to detect the presence of unauthorized hardware, software, and firmware components within the information system and takes actions (disables network access by such components, isolates the components etc) when unauthorized components are detected.", + "Attributes": [ + { + "ItemId": "cm_8_3", + "Section": "Configuration Management (CM)", + "SubSection": "Information System Component Inventory (CM-8)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_managed_by_ssm", + "ssm_managed_compliant_patching", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "cp_9", + "Name": "Information System Backup (CP-9)", + "Description": "The organization conducts backups of user-level information, system-level information and information system documentation including security-related documentation contained in the information system and protects the confidentiality, integrity, and availability of backup information at storage locations.", + "Attributes": [ + { + "ItemId": "cp_9", + "Section": "Contingency Planning (CP)", + "Service": "aws" + } + ], + "Checks": [ + "dynamodb_tables_pitr_enabled", + "efs_have_backup_enabled", + "rds_instance_backup_enabled", + "rds_instance_backup_enabled" + ] + }, + { + "Id": "cp_10", + "Name": "Information System Recovery And Reconstitution (CP-10)", + "Description": "The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure.", + "Attributes": [ + { + "ItemId": "cp_10", + "Section": "Contingency Planning (CP)", + "Service": "aws" + } + ], + "Checks": [ + "dynamodb_tables_pitr_enabled", + "efs_have_backup_enabled", + "elbv2_deletion_protection", + "rds_instance_backup_enabled", + "rds_instance_backup_enabled", + "rds_instance_multi_az", + "s3_bucket_object_versioning" + ] + }, + { + "Id": "ia_2_1", + "Name": "IA-2(1) Network Access To Privileged Accounts", + "Description": "The information system implements multi-factor authentication for network access to privileged accounts.", + "Attributes": [ + { + "ItemId": "ia_2_1", + "Section": "Identification and Authentication (IA)", + "SubSection": "Identification and Authentication (Organizational users) (IA-2)", + "Service": "iam" + } + ], + "Checks": [ + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_user_mfa_enabled_console_access", + "iam_user_mfa_enabled_console_access" + ] + }, + { + "Id": "ia_2_2", + "Name": "IA-2(2) Network Access To Non-Privileged Accounts", + "Description": "The information system implements multifactor authentication for network access to non-privileged accounts.", + "Attributes": [ + { + "ItemId": "ia_2_2", + "Section": "Identification and Authentication (IA)", + "SubSection": "Identification and Authentication (Organizational users) (IA-2)", + "Service": "iam" + } + ], + "Checks": [ + "iam_user_mfa_enabled_console_access", + "iam_user_mfa_enabled_console_access" + ] + }, + { + "Id": "ia_2_11", + "Name": "IA-2(11) Remote Access - Separate Device", + "Description": "The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements].", + "Attributes": [ + { + "ItemId": "ia_2_11", + "Section": "Identification and Authentication (IA)", + "SubSection": "Identification and Authentication (Organizational users) (IA-2)", + "Service": "iam" + } + ], + "Checks": [ + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_user_mfa_enabled_console_access", + "iam_user_mfa_enabled_console_access" + ] + }, + { + "Id": "ia_2", + "Name": "Identification and Authentication (Organizational users) (IA-2)", + "Description": "The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).", + "Attributes": [ + { + "ItemId": "ia_2", + "Section": "Identification and Authentication (IA)", + "Service": "aws" + } + ], + "Checks": [ + "iam_password_policy_reuse_24" + ] + }, + { + "Id": "ia_5_1", + "Name": "IA-5(1) Password-Based Authentication", + "Description": "The information system, for password-based authentication that enforces minimum password complexity, stores and transmits only cryptographically-protected passwords, enforces password minimum and maximum lifetime restrictions, prohibits password reuse, allows the use of a temporary password for system logons with an immediate change to a permanent password etc.", + "Attributes": [ + { + "ItemId": "ia_5_1", + "Section": "Identification and Authentication (IA)", + "SubSection": "Authenticator Management (IA-5)", + "Service": "iam" + } + ], + "Checks": [ + "iam_password_policy_reuse_24" + ] + }, + { + "Id": "ia_5_4", + "Name": "IA-5(4) Automated Support For Password Strength Determination", + "Description": "The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy [Assignment: organization-defined requirements].", + "Attributes": [ + { + "ItemId": "ia_5_4", + "Section": "Identification and Authentication (IA)", + "SubSection": "Authenticator Management (IA-5)", + "Service": "iam" + } + ], + "Checks": [ + "iam_password_policy_reuse_24" + ] + }, + { + "Id": "ia_5_7", + "Name": "IA-5(7) No Embedded Unencrypted Static Authenticators", + "Description": "The organization ensures that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys.", + "Attributes": [ + { + "ItemId": "ia_5_7", + "Section": "Identification and Authentication (IA)", + "SubSection": "Authenticator Management (IA-5)", + "Service": "codebuild" + } + ], + "Checks": [] + }, + { + "Id": "ir_4_1", + "Name": "IR-4(1) Automated Incident Handling Processes", + "Description": "The organization employs automated mechanisms to support the incident handling process.", + "Attributes": [ + { + "ItemId": "ir_4_1", + "Section": "Incident Response (IR)", + "SubSection": "Incident Handling (IR-4)", + "Service": "aws" + } + ], + "Checks": [ + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured", + "guardduty_no_high_severity_findings" + ] + }, + { + "Id": "ir_6_1", + "Name": "IR-6(1) Automated Reporting", + "Description": "The organization employs automated mechanisms to assist in the reporting of security incidents.", + "Attributes": [ + { + "ItemId": "ir_6_1", + "Section": "Incident Response (IR)", + "SubSection": "Incident Reporting (IR-6)", + "Service": "guardduty" + } + ], + "Checks": [ + "guardduty_no_high_severity_findings" + ] + }, + { + "Id": "ir_7_1", + "Name": "IR-7(1) Automation Support For Availability Of Information / Support", + "Description": "The organization employs automated mechanisms to increase the availability of incident response-related information and support.", + "Attributes": [ + { + "ItemId": "ir_7_1", + "Section": "Incident Response (IR)", + "SubSection": "Incident Response Assistance (IR-7)", + "Service": "guardduty" + } + ], + "Checks": [ + "guardduty_no_high_severity_findings" + ] + }, + { + "Id": "ra_5", + "Name": "Vulnerability Scanning (RA-5)", + "Description": "Scan for system vulnerabilities. Share vulnerability information and security controls that eliminate vulnerabilities.", + "Attributes": [ + { + "ItemId": "ra_5", + "Section": "Risk Assessment (RA)", + "Service": "guardduty" + } + ], + "Checks": [ + "guardduty_is_enabled", + "guardduty_no_high_severity_findings" + ] + }, + { + "Id": "sa_3", + "Name": "System Development Life Cycle (SA-3)", + "Description": "The organization manages the information system using organization-defined system development life cycle, defines and documents information security roles and responsibilities throughout the system development life cycle, identifies individuals having information security roles and responsibilities and integrates the organizational information security risk management process into system development life cycle activities.", + "Attributes": [ + { + "ItemId": "sa_3", + "Section": "System and Services Acquisition (SA)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_managed_by_ssm" + ] + }, + { + "Id": "sa_10", + "Name": "Developer Configuration Management (SA-10)", + "Description": "The organization requires the developer of the information system, system component, or information system service to: a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation]; b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management]; c. Implement only organization-approved changes to the system, component, or service; d. Document approved changes to the system, component, or service and the potential security impacts of such changes; and e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel].", + "Attributes": [ + { + "ItemId": "sa_10", + "Section": "System and Services Acquisition (SA)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_managed_by_ssm", + "guardduty_is_enabled", + "guardduty_no_high_severity_findings", + "securityhub_enabled" + ] + }, + { + "Id": "sc_2", + "Name": "Application Partitioning (SC-2)", + "Description": "The information system separates user functionality (including user interface services) from information system management functionality.", + "Attributes": [ + { + "ItemId": "sc_2", + "Section": "System and Communications Protection (SC)", + "Service": "iam" + } + ], + "Checks": [ + "iam_policy_no_administrative_privileges" + ] + }, + { + "Id": "sc_4", + "Name": "Information In Shared Resources (SC-4)", + "Description": "The information system prevents unauthorized and unintended information transfer via shared system resources.", + "Attributes": [ + { + "ItemId": "sc_4", + "Section": "System and Communications Protection (SC)", + "Service": "ebs" + } + ], + "Checks": [] + }, + { + "Id": "sc_5", + "Name": "Denial Of Service Protection (SC-5)", + "Description": "The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or references to sources for such information] by employing [Assignment: organization-defined security safeguards].", + "Attributes": [ + { + "ItemId": "sc_5", + "Section": "System and Communications Protection (SC)", + "Service": "aws" + } + ], + "Checks": [ + "rds_instance_deletion_protection", + "rds_instance_multi_az" + ] + }, + { + "Id": "sc_7_3", + "Name": "SC-7(3) Access Points", + "Description": "The organization limits the number of external network connections to the information system.", + "Attributes": [ + { + "ItemId": "sc_7_3", + "Section": "System and Communications Protection (SC)", + "SubSection": "Boundary Protection (SC-7)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "emr_cluster_master_nodes_no_public_ip", + "awslambda_function_not_publicly_accessible", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "sagemaker_notebook_instance_without_direct_internet_access_configured", + "ec2_securitygroup_default_restrict_traffic", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "sc_7", + "Name": "Boundary Protection (SC-7)", + "Description": "The information system: a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.", + "Attributes": [ + { + "ItemId": "sc_7", + "Section": "System and Communications Protection (SC)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "elbv2_waf_acl_attached", + "elb_ssl_listeners", + "emr_cluster_master_nodes_no_public_ip", + "opensearch_service_domains_node_to_node_encryption_enabled", + "awslambda_function_not_publicly_accessible", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_secure_transport_policy", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "sagemaker_notebook_instance_without_direct_internet_access_configured", + "ec2_securitygroup_default_restrict_traffic", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "sc_8_1", + "Name": "SC-8(1) Cryptographic Or Alternate Physical Protection", + "Description": "The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards].", + "Attributes": [ + { + "ItemId": "sc_8_1", + "Section": "System and Communications Protection (SC)", + "SubSection": "Transmission Confidentiality And Integrity (SC-8)", + "Service": "aws" + } + ], + "Checks": [ + "elb_ssl_listeners", + "opensearch_service_domains_node_to_node_encryption_enabled", + "s3_bucket_secure_transport_policy" + ] + }, + { + "Id": "sc_8", + "Name": "Transmission Confidentiality And Integrity (SC-8)", + "Description": "The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information.", + "Attributes": [ + { + "ItemId": "sc_8", + "Section": "System and Communications Protection (SC)", + "Service": "aws" + } + ], + "Checks": [ + "elb_ssl_listeners", + "opensearch_service_domains_node_to_node_encryption_enabled", + "s3_bucket_secure_transport_policy" + ] + }, + { + "Id": "sc_12", + "Name": "Cryptographic Key Establishment And Management (SC-12)", + "Description": "The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].", + "Attributes": [ + { + "ItemId": "sc_12", + "Section": "System and Communications Protection (SC)", + "Service": "aws" + } + ], + "Checks": [ + "acm_certificates_expiration_check", + "kms_cmk_rotation_enabled" + ] + }, + { + "Id": "sc_13", + "Name": "Cryptographic Protection (SC-13)", + "Description": "The information system implements [Assignment: organization-defined cryptographic uses and type of cryptography required for each use] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.", + "Attributes": [ + { + "ItemId": "sc_13", + "Section": "System and Communications Protection (SC)", + "Service": "dynamodb" + } + ], + "Checks": [ + "dynamodb_tables_kms_cmk_encryption_enabled" + ] + }, + { + "Id": "sc_23", + "Name": "Session Authenticity (SC-23)", + "Description": "The information system protects the authenticity of communications sessions.", + "Attributes": [ + { + "ItemId": "sc_23", + "Section": "System and Communications Protection (SC)", + "Service": "elb" + } + ], + "Checks": [] + }, + { + "Id": "sc_28", + "Name": "Protection Of Information At Rest (SC-28)", + "Description": "The information system protects the [Selection (one or more): confidentiality; integrity] of [Assignment: organization-defined information at rest].", + "Attributes": [ + { + "ItemId": "sc_28", + "Section": "System and Communications Protection (SC)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_kms_encryption_enabled", + "ec2_ebs_volume_encryption", + "ec2_ebs_default_encryption", + "efs_encryption_at_rest_enabled", + "opensearch_service_domains_encryption_at_rest_enabled", + "cloudwatch_log_group_kms_encryption_enabled", + "rds_instance_storage_encrypted", + "rds_instance_storage_encrypted", + "redshift_cluster_audit_logging", + "s3_bucket_default_encryption", + "sagemaker_notebook_instance_encryption_enabled", + "sns_topics_kms_encryption_at_rest_enabled" + ] + }, + { + "Id": "si_2_2", + "Name": "SI-2(2) Automates Flaw Remediation Status", + "Description": "The organization employs automated mechanisms to determine the state of information system components with regard to flaw remediation.", + "Attributes": [ + { + "ItemId": "si_2_2", + "Section": "System and Information Integrity (SI)", + "SubSection": "Flaw Remediation (SI-2)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_managed_by_ssm", + "ssm_managed_compliant_patching", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "si_4_1", + "Name": "SI-4(1) System-Wide Intrusion Detection System", + "Description": "The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system.", + "Attributes": [ + { + "ItemId": "si_4_1", + "Section": "System and Information Integrity (SI)", + "SubSection": "Information System Monitoring (SI-4)", + "Service": "guardduty" + } + ], + "Checks": [ + "guardduty_is_enabled" + ] + }, + { + "Id": "si_4_2", + "Name": "SI-4(2) Automated Tools For Real-Time Analysis", + "Description": "The organization employs automated tools to support near real-time analysis of events.", + "Attributes": [ + { + "ItemId": "si_4_2", + "Section": "System and Information Integrity (SI)", + "SubSection": "Information System Monitoring (SI-4)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_cloudwatch_logging_enabled", + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured", + "ec2_instance_imdsv2_enabled", + "guardduty_is_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "si_4_4", + "Name": "SI-4(4) Inbound and Outbound Communications Traffic", + "Description": "The information system monitors inbound and outbound communications traffic continuously for unusual or unauthorized activities or conditions.", + "Attributes": [ + { + "ItemId": "si_4_4", + "Section": "System and Information Integrity (SI)", + "SubSection": "Information System Monitoring (SI-4)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_cloudwatch_logging_enabled", + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured", + "guardduty_is_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "si_4_5", + "Name": "SI-4(5) System-Generated Alerts", + "Description": "The information system alerts organization-defined personnel or roles when the following indications of compromise or potential compromise occur: [Assignment: organization-defined compromise indicators].", + "Attributes": [ + { + "ItemId": "si_4_5", + "Section": "System and Information Integrity (SI)", + "SubSection": "Information System Monitoring (SI-4)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_cloudwatch_logging_enabled", + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured", + "guardduty_is_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "si_4_16", + "Name": "SI-4(16) Correlate Monitoring Information", + "Description": "The organization correlates information from monitoring tools employed throughout the information system.", + "Attributes": [ + { + "ItemId": "si_4_16", + "Section": "System and Information Integrity (SI)", + "SubSection": "Information System Monitoring (SI-4)", + "Service": "aws" + } + ], + "Checks": [ + "guardduty_is_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "si_4", + "Name": "Information System Monitoring (SI-4)", + "Description": "The organization: a.Monitors the information system to detect: 1. Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and 2.Unauthorized local, network, and remote connections; b. Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods]; c. Deploys monitoring devices: 1. Strategically within the information system to collect organization-determined essential information; and 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization; d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion; e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and g. Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]].", + "Attributes": [ + { + "ItemId": "si_4", + "Section": "System and Information Integrity (SI)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_cloudwatch_logging_enabled", + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured", + "ec2_instance_imdsv2_enabled", + "elbv2_waf_acl_attached", + "guardduty_is_enabled", + "guardduty_no_high_severity_findings", + "securityhub_enabled" + ] + }, + { + "Id": "si_7_1", + "Name": "SI-7(1) Integrity Checks", + "Description": "The information system performs an integrity check of security relevant events at least monthly.", + "Attributes": [ + { + "ItemId": "si_7_1", + "Section": "System and Information Integrity (SI)", + "SubSection": "Software, Firmware, and Information Integrity (SI-7)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_log_file_validation_enabled", + "ec2_instance_managed_by_ssm", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "si_7", + "Name": "Software, Firmware, and Information Integrity (SI-7)", + "Description": "The organization employs integrity verification tools to detect unauthorized changes to [Assignment: organization-defined software, firmware, and information].", + "Attributes": [ + { + "ItemId": "si_7", + "Section": "System and Information Integrity (SI)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_log_file_validation_enabled" + ] + }, + { + "Id": "si_12", + "Name": "Information Handling and Retention (SI-12)", + "Description": "The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.", + "Attributes": [ + { + "ItemId": "si_12", + "Section": "System and Information Integrity (SI)", + "Service": "aws" + } + ], + "Checks": [ + "cloudwatch_log_group_retention_policy_specific_days_enabled", + "dynamodb_tables_pitr_enabled", + "efs_have_backup_enabled", + "rds_instance_backup_enabled", + "rds_instance_backup_enabled", + "s3_bucket_object_versioning" + ] + } + ] +} diff --git a/prowler/compliance/aws/nist_800_53_revision_5_aws.json b/prowler/compliance/aws/nist_800_53_revision_5_aws.json new file mode 100644 index 00000000..57a7a77f --- /dev/null +++ b/prowler/compliance/aws/nist_800_53_revision_5_aws.json @@ -0,0 +1,6291 @@ +{ + "Framework": "NIST-800-53-Revision-5", + "Version": "", + "Provider": "AWS", + "Description": "The NIST 800-53 (Rev. 5) Low-Moderate-High framework represents the security controls and the associated assessment procedures that are defined in NIST SP 800-53 Revision 5 Recommended Security Controls for Federal Information Systems and Organizations. For any discrepancies that are noted in the content between this NIST SP 800-53 framework and the latest published NIST Special Publication SP 800-53 Revision 5, refer to the official published documents that are available at the NIST Computer Security Resource Center.", + "Requirements": [ + { + "Id": "ac_2_1", + "Name": "AC-2(1) Automated System Account Management", + "Description": "Support the management of system accounts using [Assignment: organization-defined automated mechanisms].", + "Attributes": [ + { + "ItemId": "ac_2_1", + "Section": "Access Control (AC)", + "SubSection": "Account Management (AC-2)", + "Service": "aws" + } + ], + "Checks": [ + "iam_password_policy_minimum_length_14", + "iam_policy_attached_only_to_group_or_roles", + "iam_policy_no_administrative_privileges", + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_no_root_access_key", + "iam_rotate_access_key_90_days", + "iam_user_mfa_enabled_console_access", + "iam_user_mfa_enabled_console_access", + "iam_disable_90_days_credentials", + "secretsmanager_automatic_rotation_enabled" + ] + }, + { + "Id": "ac_2_3_a", + "Name": "AC-2(3)(a)", + "Description": "Support the management of system accounts using [Assignment: organization-defined automated mechanisms].", + "Attributes": [ + { + "ItemId": "ac_2_3_a", + "Section": "Access Control (AC)", + "SubSection": "Account Management (AC-2)", + "SubGroup": "AC-2(3) Disable Accounts", + "Service": "iam" + } + ], + "Checks": [ + "iam_password_policy_minimum_length_14", + "iam_disable_90_days_credentials" + ] + }, + { + "Id": "ac_2_3_b", + "Name": "AC-2(3)(b)", + "Description": "Disable accounts within [Assignment: organization-defined time period] when the accounts: (b) Are no longer associated with a user or individual.", + "Attributes": [ + { + "ItemId": "ac_2_3_b", + "Section": "Access Control (AC)", + "SubSection": "Account Management (AC-2)", + "SubGroup": "AC-2(3) Disable Accounts", + "Service": "iam" + } + ], + "Checks": [ + "iam_password_policy_minimum_length_14", + "iam_disable_90_days_credentials" + ] + }, + { + "Id": "ac_2_3_c", + "Name": "AC-2(3)(c)", + "Description": "Disable accounts within [Assignment: organization-defined time period] when the accounts: (c) Are in violation of organizational policy.", + "Attributes": [ + { + "ItemId": "ac_2_3_c", + "Section": "Access Control (AC)", + "SubSection": "Account Management (AC-2)", + "SubGroup": "AC-2(3) Disable Accounts", + "Service": "aws" + } + ], + "Checks": [ + "iam_password_policy_minimum_length_14", + "iam_disable_90_days_credentials" + ] + }, + { + "Id": "ac_2_3_d", + "Name": "AC-2(3)(d)", + "Description": "Disable accounts within [Assignment: organization-defined time period] when the accounts: (d) Have been inactive for [Assignment: organization-defined time period].", + "Attributes": [ + { + "ItemId": "ac_2_3_d", + "Section": "Access Control (AC)", + "SubSection": "Account Management (AC-2)", + "SubGroup": "AC-2(3) Disable Accounts", + "Service": "iam" + } + ], + "Checks": [ + "iam_password_policy_minimum_length_14", + "iam_disable_90_days_credentials" + ] + }, + { + "Id": "ac_2_3", + "Name": "AC-2(3) Disable Accounts", + "Description": "Disable accounts within [Assignment: organization-defined time period] when the accounts: (a) Have expired; (b) Are no longer associated with a user or individual; (c) Are in violation of organizational policy; or (d) Have been inactive for [Assignment: organization-defined time period].", + "Attributes": [ + { + "ItemId": "ac_2_3", + "Section": "Access Control (AC)", + "SubSection": "Account Management (AC-2)", + "Service": "aws" + } + ], + "Checks": [ + "iam_password_policy_minimum_length_14", + "iam_disable_90_days_credentials" + ] + }, + { + "Id": "ac_2_4", + "Name": "AC-2(4) Automated Audit Actions", + "Description": "Automatically audit account creation, modification, enabling, disabling, and removal actions.", + "Attributes": [ + { + "ItemId": "ac_2_4", + "Section": "Access Control (AC)", + "SubSection": "Account Management (AC-2)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled" + ] + }, + { + "Id": "ac_2_6", + "Name": "AC-2(6) Dynamic Privilege Management", + "Description": "Implement [Assignment: organization-defined dynamic privilege management capabilities].", + "Attributes": [ + { + "ItemId": "ac_2_6", + "Section": "Access Control (AC)", + "SubSection": "Account Management (AC-2)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "ec2_instance_imdsv2_enabled", + "emr_cluster_master_nodes_no_public_ip", + "iam_policy_attached_only_to_group_or_roles", + "iam_policy_no_administrative_privileges", + "iam_no_root_access_key", + "iam_disable_90_days_credentials", + "awslambda_function_not_publicly_accessible", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "s3_bucket_public_access", + "sagemaker_notebook_instance_without_direct_internet_access_configured" + ] + }, + { + "Id": "ac_2_12_a", + "Name": "AC-2(12)(a)", + "Description": "Monitor system accounts for [Assignment: organization-defined atypical usage].", + "Attributes": [ + { + "ItemId": "ac_2_12_a", + "Section": "Access Control (AC)", + "SubSection": "Account Management (AC-2)", + "SubGroup": "AC-2(12) Account Monitoring", + "Service": "guarduty" + } + ], + "Checks": [ + "guardduty_is_enabled" + ] + }, + { + "Id": "ac_2_d_1", + "Name": "AC-2(d)(1)", + "Description": "d. Specify: 1. Authorized users of the system;personnel termination and transfer processes.", + "Attributes": [ + { + "ItemId": "ac_2_d_1", + "Section": "Access Control (AC)", + "SubSection": "Account Management (AC-2)", + "Service": "iam" + } + ], + "Checks": [ + "iam_password_policy_minimum_length_14" + ] + }, + { + "Id": "ac_2_g", + "Name": "AC-2(g)", + "Description": "The organization: g. Monitors the use of information system accounts.", + "Attributes": [ + { + "ItemId": "ac_2_g", + "Section": "Access Control (AC)", + "SubSection": "Account Management (AC-2)", + "Service": "iam" + } + ], + "Checks": [ + "iam_disable_90_days_credentials" + ] + }, + { + "Id": "ac_2_i_2", + "Name": "AC-2(i)(2)", + "Description": "i. Authorize access to the system based on: 2. Intended system usage.", + "Attributes": [ + { + "ItemId": "ac_2_¡_2", + "Section": "Access Control (AC)", + "SubSection": "Account Management (AC-2)", + "Service": "iam" + } + ], + "Checks": [ + "iam_policy_attached_only_to_group_or_roles", + "iam_policy_no_administrative_privileges" + ] + }, + { + "Id": "ac_2_j", + "Name": "AC-2(j)", + "Description": "The organization: j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency].", + "Attributes": [ + { + "ItemId": "ac_2_j", + "Section": "Access Control (AC)", + "SubSection": "Account Management (AC-2)", + "Service": "iam" + } + ], + "Checks": [ + "iam_disable_90_days_credentials" + ] + }, + { + "Id": "ac_3", + "Name": "Access Enforcement (AC-3)", + "Description": "Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.", + "Attributes": [ + { + "ItemId": "ac_3", + "Section": "Access Control (AC)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot", + "ec2_instance_profile_attached", + "ec2_instance_public_ip", + "ec2_instance_imdsv2_enabled", + "emr_cluster_master_nodes_no_public_ip", + "iam_policy_no_administrative_privileges", + "iam_policy_attached_only_to_group_or_roles", + "iam_policy_no_administrative_privileges", + "iam_disable_90_days_credentials", + "awslambda_function_not_publicly_accessible", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "s3_bucket_public_access", + "sagemaker_notebook_instance_without_direct_internet_access_configured" + ] + }, + { + "Id": "ac_3_1", + "Name": "AC-3(1) Restricted Access To Privileged Functions", + "Description": "Employ an audited override of automated access control mechanisms under [Assignment: organization-defined conditions] by [Assignment: organization-defined roles].", + "Attributes": [ + { + "ItemId": "ac_3_1", + "Section": "Access Control (AC)", + "SubSection": "Access Enforcement (AC-3)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled" + ] + }, + { + "Id": "ac_3_2", + "Name": "AC-3(2) Dual Authorization", + "Description": "Enforce dual authorization for [Assignment: organization-defined privileged commands and/or other organization-defined actions].", + "Attributes": [ + { + "ItemId": "ac_3_2", + "Section": "Access Control (AC)", + "SubSection": "Access Enforcement (AC-3)", + "Service": "iam" + } + ], + "Checks": [ + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_user_mfa_enabled_console_access", + "iam_user_mfa_enabled_console_access" + ] + }, + { + "Id": "ac_3_3", + "Name": "AC-3(3) Mandatory Access Control", + "Description": "Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy, and where the policy: (a) Is uniformly enforced across the covered subjects and objects within the system; (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (1) Passing the information to unauthorized subjects or objects; (2) Granting its privileges to other subjects; (3) Changing one or more security attributes (specified by the policy) on subjects, objects, the system, or system components; (4) Choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects; and (5) Changing the rules governing access control; and (c) Specifies that [Assignment: organization-defined subjects] may explicitly be granted [Assignment: organization-defined privileges] such that they are not limited by any defined subset (or all) of the above constraints.", + "Attributes": [ + { + "ItemId": "ac_3_3", + "Section": "Access Control (AC)", + "SubSection": "Access Enforcement (AC-3)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_imdsv2_enabled", + "iam_password_policy_minimum_length_14", + "iam_policy_attached_only_to_group_or_roles", + "iam_policy_no_administrative_privileges", + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_no_root_access_key", + "iam_rotate_access_key_90_days", + "iam_user_mfa_enabled_console_access", + "iam_user_mfa_enabled_console_access", + "iam_disable_90_days_credentials", + "secretsmanager_automatic_rotation_enabled" + ] + }, + { + "Id": "ac_3_3_a", + "Name": "AC-3(3)(a)", + "Description": "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (a) Is uniformly enforced across the covered subjects and objects within the system.", + "Attributes": [ + { + "ItemId": "ac_3_3_a", + "Section": "Access Control (AC)", + "SubSection": "Access Enforcement (AC-3)", + "SubGroup": "AC-3(3) Mandatory Access Control", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_imdsv2_enabled", + "iam_password_policy_minimum_length_14", + "iam_policy_attached_only_to_group_or_roles", + "iam_policy_no_administrative_privileges", + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_no_root_access_key", + "iam_rotate_access_key_90_days", + "iam_user_mfa_enabled_console_access", + "iam_user_mfa_enabled_console_access", + "iam_disable_90_days_credentials", + "secretsmanager_automatic_rotation_enabled" + ] + }, + { + "Id": "ac_3_3_b_1", + "Name": "AC-3(3)(b)(1)", + "Description": "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (1) Passing the information to unauthorized subjects or objects.", + "Attributes": [ + { + "ItemId": "ac_3_3_b_1", + "Section": "Access Control (AC)", + "SubSection": "Access Enforcement (AC-3)", + "SubGroup": "AC-3(3) Mandatory Access Control", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_imdsv2_enabled", + "iam_password_policy_minimum_length_14", + "iam_policy_attached_only_to_group_or_roles", + "iam_policy_no_administrative_privileges", + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_no_root_access_key", + "iam_rotate_access_key_90_days", + "iam_user_mfa_enabled_console_access", + "iam_user_mfa_enabled_console_access", + "iam_disable_90_days_credentials", + "secretsmanager_automatic_rotation_enabled" + ] + }, + { + "Id": "ac_3_3_b_2", + "Name": "AC-3(3)(b)(2)", + "Description": "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (2) Granting its privileges to other subjects.", + "Attributes": [ + { + "ItemId": "ac_3_3_b_2", + "Section": "Access Control (AC)", + "SubSection": "Access Enforcement (AC-3)", + "SubGroup": "AC-3(3) Mandatory Access Control", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_imdsv2_enabled", + "iam_password_policy_minimum_length_14", + "iam_policy_attached_only_to_group_or_roles", + "iam_policy_no_administrative_privileges", + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_no_root_access_key", + "iam_rotate_access_key_90_days", + "iam_user_mfa_enabled_console_access", + "iam_user_mfa_enabled_console_access", + "iam_disable_90_days_credentials", + "secretsmanager_automatic_rotation_enabled" + ] + }, + { + "Id": "ac_3_3_b_3", + "Name": "AC-3(3)(b)(3)", + "Description": "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (3) Changing one or more security attributes (specified by the policy) on subjects, objects, the system, or system components.", + "Attributes": [ + { + "ItemId": "ac_3_3_b_3", + "Section": "Access Control (AC)", + "SubSection": "Access Enforcement (AC-3)", + "SubGroup": "AC-3(3) Mandatory Access Control", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_imdsv2_enabled", + "iam_password_policy_minimum_length_14", + "iam_policy_attached_only_to_group_or_roles", + "iam_policy_no_administrative_privileges", + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_no_root_access_key", + "iam_rotate_access_key_90_days", + "iam_user_mfa_enabled_console_access", + "iam_user_mfa_enabled_console_access", + "iam_disable_90_days_credentials", + "secretsmanager_automatic_rotation_enabled" + ] + }, + { + "Id": "ac_3_3_b_4", + "Name": "AC-3(3)(b)(4)", + "Description": "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (4) Choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects.", + "Attributes": [ + { + "ItemId": "ac_3_3_b_4", + "Section": "Access Control (AC)", + "SubSection": "Access Enforcement (AC-3)", + "SubGroup": "AC-3(3) Mandatory Access Control", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_imdsv2_enabled", + "iam_password_policy_minimum_length_14", + "iam_policy_attached_only_to_group_or_roles", + "iam_policy_no_administrative_privileges", + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_no_root_access_key", + "iam_rotate_access_key_90_days", + "iam_user_mfa_enabled_console_access", + "iam_user_mfa_enabled_console_access", + "iam_disable_90_days_credentials", + "secretsmanager_automatic_rotation_enabled" + ] + }, + { + "Id": "ac_3_3_b_5", + "Name": "AC-3(3)(b)(5)", + "Description": "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (5) Changing the rules governing access.", + "Attributes": [ + { + "ItemId": "ac_3_3_b_5", + "Section": "Access Control (AC)", + "SubSection": "Access Enforcement (AC-3)", + "SubGroup": "AC-3(3) Mandatory Access Control", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_imdsv2_enabled", + "iam_password_policy_minimum_length_14", + "iam_policy_attached_only_to_group_or_roles", + "iam_policy_no_administrative_privileges", + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_no_root_access_key", + "iam_rotate_access_key_90_days", + "iam_user_mfa_enabled_console_access", + "iam_user_mfa_enabled_console_access", + "iam_disable_90_days_credentials", + "secretsmanager_automatic_rotation_enabled" + ] + }, + { + "Id": "ac_3_3_c", + "Name": "AC-3(3)(c)", + "Description": "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (c) Specifies that [Assignment: organization-defined subjects] may explicitly be granted [Assignment: organization-defined privileges] such that they are not limited by any defined subset (or all) of the above constraints.", + "Attributes": [ + { + "ItemId": "ac_3_3_c", + "Section": "Access Control (AC)", + "SubSection": "Access Enforcement (AC-3)", + "SubGroup": "AC-3(3) Mandatory Access Control", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_imdsv2_enabled", + "iam_password_policy_minimum_length_14", + "iam_policy_attached_only_to_group_or_roles", + "iam_policy_no_administrative_privileges", + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_no_root_access_key", + "iam_rotate_access_key_90_days", + "iam_user_mfa_enabled_console_access", + "iam_user_mfa_enabled_console_access", + "iam_disable_90_days_credentials", + "secretsmanager_automatic_rotation_enabled" + ] + }, + { + "Id": "ac_3_4", + "Name": "AC-3(4) Discretionary Access Control", + "Description": "Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (a) Pass the information to any other subjects or objects; (b) Grant its privileges to other subjects; (c) Change security attributes on subjects, objects, the system, or the system’s components; (d) Choose the security attributes to be associated with newly created or revised objects; or (e) Change the rules governing access control.", + "Attributes": [ + { + "ItemId": "ac_3_4", + "Section": "Access Control (AC)", + "SubSection": "Access Enforcement (AC-3)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_imdsv2_enabled", + "iam_password_policy_minimum_length_14", + "iam_policy_attached_only_to_group_or_roles", + "iam_policy_no_administrative_privileges", + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_no_root_access_key", + "iam_rotate_access_key_90_days", + "iam_user_mfa_enabled_console_access", + "iam_user_mfa_enabled_console_access", + "iam_disable_90_days_credentials", + "secretsmanager_automatic_rotation_enabled" + ] + }, + { + "Id": "ac_3_4_a", + "Name": "AC-3(4)(a)", + "Description": "Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (a) Pass the information to any other subjects or objects.", + "Attributes": [ + { + "ItemId": "ac_3_4_a", + "Section": "Access Control (AC)", + "SubSection": "Access Enforcement (AC-3)", + "SubGroup": "AC-3(4) Discretionary Access Control", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_imdsv2_enabled", + "iam_password_policy_minimum_length_14", + "iam_policy_attached_only_to_group_or_roles", + "iam_policy_no_administrative_privileges", + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_no_root_access_key", + "iam_rotate_access_key_90_days", + "iam_user_mfa_enabled_console_access", + "iam_user_mfa_enabled_console_access", + "iam_disable_90_days_credentials", + "secretsmanager_automatic_rotation_enabled" + ] + }, + { + "Id": "ac_3_4_b", + "Name": "AC-3(4)(b)", + "Description": "Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (b) Grant its privileges to other subjects.", + "Attributes": [ + { + "ItemId": "ac_3_4_b", + "Section": "Access Control (AC)", + "SubSection": "Access Enforcement (AC-3)", + "SubGroup": "AC-3(4) Discretionary Access Control", + "Service": "aws" + } + ], + "Checks": [ + "secretsmanager_automatic_rotation_enabled", + "iam_disable_90_days_credentials", + "iam_user_mfa_enabled_console_access", + "iam_user_mfa_enabled_console_access", + "iam_rotate_access_key_90_days", + "iam_no_root_access_key", + "iam_root_mfa_enabled", + "iam_root_hardware_mfa_enabled", + "iam_policy_no_administrative_privileges", + "iam_policy_attached_only_to_group_or_roles", + "iam_password_policy_minimum_length_14", + "ec2_instance_imdsv2_enabled" + ] + }, + { + "Id": "ac_3_4_c", + "Name": "AC-3(4)(c)", + "Description": "Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (c) Change security attributes on subjects, objects, the system, or the system’s components.", + "Attributes": [ + { + "ItemId": "ac_3_4_c", + "Section": "Access Control (AC)", + "SubSection": "Access Enforcement (AC-3)", + "SubGroup": "AC-3(4) Discretionary Access Control", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_imdsv2_enabled", + "iam_password_policy_minimum_length_14", + "iam_policy_attached_only_to_group_or_roles", + "iam_policy_no_administrative_privileges", + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_no_root_access_key", + "iam_rotate_access_key_90_days", + "iam_user_mfa_enabled_console_access", + "iam_user_mfa_enabled_console_access", + "iam_disable_90_days_credentials", + "secretsmanager_automatic_rotation_enabled" + ] + }, + { + "Id": "ac_3_4_d", + "Name": "AC-3(4)(d)", + "Description": "Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (d) Choose the security attributes to be associated with newly created or revised objects.", + "Attributes": [ + { + "ItemId": "ac_3_4_d", + "Section": "Access Control (AC)", + "SubSection": "Access Enforcement (AC-3)", + "SubGroup": "AC-3(4) Discretionary Access Control", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_imdsv2_enabled", + "iam_password_policy_minimum_length_14", + "iam_policy_attached_only_to_group_or_roles", + "iam_policy_no_administrative_privileges", + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_no_root_access_key", + "iam_rotate_access_key_90_days", + "iam_user_mfa_enabled_console_access", + "iam_user_mfa_enabled_console_access", + "iam_disable_90_days_credentials", + "secretsmanager_automatic_rotation_enabled" + ] + }, + { + "Id": "ac_3_4_e", + "Name": "AC-3(4)(e)", + "Description": "Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (e) Change the rules governing access.", + "Attributes": [ + { + "ItemId": "ac_3_4_e", + "Section": "Access Control (AC)", + "SubSection": "Access Enforcement (AC-3)", + "SubGroup": "AC-3(4) Discretionary Access Control", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_imdsv2_enabled", + "iam_password_policy_minimum_length_14", + "iam_policy_attached_only_to_group_or_roles", + "iam_policy_no_administrative_privileges", + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_no_root_access_key", + "iam_rotate_access_key_90_days", + "iam_user_mfa_enabled_console_access", + "iam_user_mfa_enabled_console_access", + "iam_disable_90_days_credentials", + "secretsmanager_automatic_rotation_enabled" + ] + }, + { + "Id": "ac_3_7", + "Name": "AC-3(7) Role-Based Access Control", + "Description": "Enforce a role-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined roles and users authorized to assume such roles].", + "Attributes": [ + { + "ItemId": "ac_3_7", + "Section": "Access Control (AC)", + "SubSection": "Access Enforcement (AC-3)", + "Service": "aws" + } + ], + "Checks": [ + "s3_bucket_public_access", + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "ec2_instance_imdsv2_enabled", + "emr_cluster_master_nodes_no_public_ip", + "iam_policy_attached_only_to_group_or_roles", + "iam_policy_no_administrative_privileges", + "iam_no_root_access_key", + "iam_disable_90_days_credentials", + "awslambda_function_not_publicly_accessible", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "s3_bucket_public_access", + "sagemaker_notebook_instance_without_direct_internet_access_configured" + ] + }, + { + "Id": "ac_3_8", + "Name": "AC-3(8) Revocation Of Access Authorizations", + "Description": "Enforce the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on [Assignment: organization-defined rules governing the timing of revocations of access authorizations].", + "Attributes": [ + { + "ItemId": "ac_3_8", + "Section": "Access Control (AC)", + "SubSection": "Access Enforcement (AC-3)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_imdsv2_enabled", + "iam_password_policy_minimum_length_14", + "iam_policy_attached_only_to_group_or_roles", + "iam_policy_no_administrative_privileges", + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_no_root_access_key", + "iam_rotate_access_key_90_days", + "iam_user_mfa_enabled_console_access", + "iam_user_mfa_enabled_console_access", + "iam_disable_90_days_credentials", + "secretsmanager_automatic_rotation_enabled" + ] + }, + { + "Id": "ac_3_10", + "Name": "AC-3(10) Audited Override Of Access Control Mechanisms", + "Description": "Employ an audited override of automated access mechanisms under [Assignment: organization-defined conditions] by [Assignment: organization-defined roles].", + "Attributes": [ + { + "ItemId": "ac_3_10", + "Section": "Access Control (AC)", + "SubSection": "Access Enforcement (AC-3)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled" + ] + }, + { + "Id": "ac_3_12_a", + "Name": "AC-3(12)(a)", + "Description": "Require applications to assert, as part of the installation process, the access needed to the following system applications and functions: [Assignment: organization-defined system applications and functions].", + "Attributes": [ + { + "ItemId": "ac_3_12_a", + "Section": "Access Control (AC)", + "SubSection": "Access Enforcement (AC-3)", + "SubGroup": "AC-3(12) Assert And Enforce Application Access", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_imdsv2_enabled", + "iam_password_policy_minimum_length_14", + "iam_policy_attached_only_to_group_or_roles", + "iam_policy_no_administrative_privileges", + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_no_root_access_key", + "iam_rotate_access_key_90_days", + "iam_user_mfa_enabled_console_access", + "iam_user_mfa_enabled_console_access", + "iam_disable_90_days_credentials", + "secretsmanager_automatic_rotation_enabled" + ] + }, + { + "Id": "ac_3_12_b", + "Name": "AC-3(12)(b)", + "Description": "Provide an enforcement mechanism to prevent unauthorized access;", + "Attributes": [ + { + "ItemId": "ac_3_12_b", + "Section": "Access Control (AC)", + "SubSection": "Access Enforcement (AC-3)", + "SubGroup": "AC-3(12) Assert And Enforce Application Access", + "Service": "guarduty" + } + ], + "Checks": [ + "guardduty_is_enabled" + ] + }, + { + "Id": "ac_3_13", + "Name": "AC-3(13) Attribute-Based Access Control", + "Description": "Enforce attribute-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined attributes to assume access permissions].", + "Attributes": [ + { + "ItemId": "ac_3_13", + "Section": "Access Control (AC)", + "SubSection": "Access Enforcement (AC-3)", + "Service": "guarduty" + } + ], + "Checks": [ + "ec2_instance_imdsv2_enabled", + "iam_password_policy_minimum_length_14", + "iam_policy_attached_only_to_group_or_roles", + "iam_policy_no_administrative_privileges", + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_no_root_access_key", + "iam_rotate_access_key_90_days", + "iam_user_mfa_enabled_console_access", + "iam_user_mfa_enabled_console_access", + "iam_disable_90_days_credentials", + "secretsmanager_automatic_rotation_enabled" + ] + }, + { + "Id": "ac_3_15_a", + "Name": "AC-3(15)(a)", + "Description": "Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy.", + "Attributes": [ + { + "ItemId": "ac_3_15_a", + "Section": "Access Control (AC)", + "SubSection": "Access Enforcement (AC-3)", + "SubGroup": "AC-3(15) Discretionary And Mandatory Access Control", + "Service": "guarduty" + } + ], + "Checks": [ + "ec2_instance_imdsv2_enabled", + "iam_password_policy_minimum_length_14", + "iam_policy_attached_only_to_group_or_roles", + "iam_policy_no_administrative_privileges", + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_no_root_access_key", + "iam_rotate_access_key_90_days", + "iam_user_mfa_enabled_console_access", + "iam_user_mfa_enabled_console_access", + "iam_disable_90_days_credentials", + "secretsmanager_automatic_rotation_enabled" + ] + }, + { + "Id": "ac_3_15_b", + "Name": "AC-3(15)(b)", + "Description": "Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy.", + "Attributes": [ + { + "ItemId": "ac_3_15_b", + "Section": "Access Control (AC)", + "SubSection": "Access Enforcement (AC-3)", + "SubGroup": "AC-3(15) Discretionary And Mandatory Access Control", + "Service": "guarduty" + } + ], + "Checks": [ + "ec2_instance_imdsv2_enabled", + "iam_password_policy_minimum_length_14", + "iam_policy_attached_only_to_group_or_roles", + "iam_policy_no_administrative_privileges", + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_no_root_access_key", + "iam_rotate_access_key_90_days", + "iam_user_mfa_enabled_console_access", + "iam_user_mfa_enabled_console_access", + "iam_disable_90_days_credentials", + "secretsmanager_automatic_rotation_enabled" + ] + }, + { + "Id": "ac_4", + "Name": "Information Flow Enforcement (AC-4)", + "Description": "Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies].", + "Attributes": [ + { + "ItemId": "ac_4", + "Section": "Access Control (AC)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_client_certificate_enabled", + "elb_ssl_listeners", + "opensearch_service_domains_node_to_node_encryption_enabled", + "s3_bucket_secure_transport_policy" + ] + }, + { + "Id": "ac_4_21", + "Name": "AC-4(21) Physical Or Logical Separation Of Infomation Flows", + "Description": "Separate information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information].", + "Attributes": [ + { + "ItemId": "ac_4_21", + "Section": "Access Control (AC)", + "SubSection": "Information Flow Enforcement (AC-4)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_waf_acl_attached", + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "elbv2_waf_acl_attached", + "emr_cluster_master_nodes_no_public_ip", + "awslambda_function_not_publicly_accessible", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "s3_bucket_public_access", + "sagemaker_notebook_instance_without_direct_internet_access_configured", + "ec2_securitygroup_default_restrict_traffic", + "ec2_networkacl_allow_ingress_any_port", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "ac_4_22", + "Name": "AC-4(22) Access Only", + "Description": "Provide access from a single device to computing platforms, applications, or data residing in multiple different security domains, while preventing information flow between the different security domains.", + "Attributes": [ + { + "ItemId": "ac_4_22", + "Section": "Access Control (AC)", + "SubSection": "Information Flow Enforcement (AC-4)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_client_certificate_enabled", + "elb_ssl_listeners", + "opensearch_service_domains_node_to_node_encryption_enabled", + "s3_bucket_secure_transport_policy" + ] + }, + { + "Id": "ac_4_26", + "Name": "AC-4(26) Audit Filtering Actions", + "Description": "When transferring information between different security domains, record and audit content filtering actions and results for the information being filtered.", + "Attributes": [ + { + "ItemId": "ac_4_26", + "Section": "Access Control (AC)", + "SubSection": "Information Flow Enforcement (AC-4)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "ac_4_28", + "Name": "AC-4(28) Linear Filter Pipelines", + "Description": "When transferring information between different security domains, implement a linear content filter pipeline that is enforced with discretionary and mandatory access controls.", + "Attributes": [ + { + "ItemId": "ac_4_28", + "Section": "Access Control (AC)", + "SubSection": "Information Flow Enforcement (AC-4)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_imdsv2_enabled", + "iam_password_policy_minimum_length_14", + "iam_policy_attached_only_to_group_or_roles", + "iam_policy_no_administrative_privileges", + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_no_root_access_key", + "iam_rotate_access_key_90_days", + "iam_user_mfa_enabled_console_access", + "iam_user_mfa_enabled_console_access", + "iam_disable_90_days_credentials", + "secretsmanager_automatic_rotation_enabled" + ] + }, + { + "Id": "ac_5_b", + "Name": "AC-5(b)", + "Description": "Define system access authorizations to support separation of duties.", + "Attributes": [ + { + "ItemId": "ac_5_b", + "Section": "Access Control (AC)", + "SubSection": "Separation Of Duties (AC-5)", + "Service": "aws" + } + ], + "Checks": [ + "iam_policy_no_administrative_privileges", + "iam_policy_no_administrative_privileges" + ] + }, + { + "Id": "ac_6", + "Name": "Least Privilege (AC-6)", + "Description": "Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.", + "Attributes": [ + { + "ItemId": "ac_6", + "Section": "Access Control (AC)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "ec2_instance_imdsv2_enabled", + "emr_cluster_master_nodes_no_public_ip", + "iam_policy_attached_only_to_group_or_roles", + "iam_policy_no_administrative_privileges", + "iam_no_root_access_key", + "iam_disable_90_days_credentials", + "awslambda_function_not_publicly_accessible", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "s3_bucket_public_access", + "sagemaker_notebook_instance_without_direct_internet_access_configured" + ] + }, + { + "Id": "ac_6_2", + "Name": "AC-6(2)", + "Description": "Require that users of system accounts (or roles) with access to [Assignment: organization-defined security functions or security-relevant information] use non-privileged accounts or roles, when accessing nonsecurity functions.", + "Attributes": [ + { + "ItemId": "ac_6_2", + "Section": "Access Control (AC)", + "SubSection": "Least Privilege (AC-6)", + "Service": "iam" + } + ], + "Checks": [ + "iam_policy_no_administrative_privileges", + "iam_policy_no_administrative_privileges", + "iam_no_root_access_key" + ] + }, + { + "Id": "ac_6_3", + "Name": "AC-6(3)", + "Description": "Authorize network access to [Assignment: organization-defined privileged commands] only for [Assignment: organization-defined compelling operational needs] and document the rationale for such access in the security plan for the system.", + "Attributes": [ + { + "ItemId": "ac_6_3", + "Section": "Access Control (AC)", + "SubSection": "Least Privilege (AC-6)", + "Service": "iam" + } + ], + "Checks": [ + "iam_policy_attached_only_to_group_or_roles", + "iam_policy_no_administrative_privileges" + ] + }, + { + "Id": "ac_6_9", + "Name": "AC-6(9)", + "Description": "Log the execution of privileged functions.", + "Attributes": [ + { + "ItemId": "ac_6_9", + "Section": "Access Control (AC)", + "SubSection": "Least Privilege (AC-6)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled" + ] + }, + { + "Id": "ac_6_10", + "Name": "AC-6(10)", + "Description": "Prevent non-privileged users from executing privileged functions.", + "Attributes": [ + { + "ItemId": "ac_6_10", + "Section": "Access Control (AC)", + "SubSection": "Least Privilege (AC-6)", + "Service": "iam" + } + ], + "Checks": [ + "iam_policy_no_administrative_privileges", + "iam_policy_no_administrative_privileges", + "iam_no_root_access_key" + ] + }, + { + "Id": "ac_7_4", + "Name": "AC-7(4) Use Of Alternate Authentication Factor", + "Description": "Prevent non-privileged users from executing privileged functions.", + "Attributes": [ + { + "ItemId": "ac_7_4", + "Section": "Access Control (AC)", + "SubSection": "Unsuccessful Logon Attempts (AC-7)", + "Service": "iam" + } + ], + "Checks": [ + "iam_password_policy_minimum_length_14", + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_user_mfa_enabled_console_access", + "iam_user_mfa_enabled_console_access" + ] + }, + { + "Id": "ac_7_4_a", + "Name": "AC-7(4)(a)", + "Description": "Allow the use of [Assignment: organization-defined authentication factors] that are different from the primary authentication factors after the number of organization-defined consecutive invalid logon attempts have been exceeded.", + "Attributes": [ + { + "ItemId": "ac_7_4_a", + "Section": "Access Control (AC)", + "SubSection": "Unsuccessful Logon Attempts (AC-7)", + "SubGroup": "AC-7(4) Use Of Alternate Authentication Factor", + "Service": "iam" + } + ], + "Checks": [ + "iam_password_policy_minimum_length_14", + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_user_mfa_enabled_console_access", + "iam_user_mfa_enabled_console_access" + ] + }, + { + "Id": "ac_16_b", + "Name": "AC-16(b)", + "Description": "Ensure that the attribute associations are made and retained with the information.", + "Attributes": [ + { + "ItemId": "ac_16_b", + "Section": "Access Control (AC)", + "SubSection": "Security And Privacy Attributes (AC-16)", + "Service": "cloudwatch" + } + ], + "Checks": [ + "cloudwatch_log_group_retention_policy_specific_days_enabled" + ] + }, + { + "Id": "ac_17_b", + "Name": "AC-17(b)", + "Description": "Authorize each type of remote access to the system prior to allowing such connections.", + "Attributes": [ + { + "ItemId": "ac_17_b", + "Section": "Access Control (AC)", + "SubSection": "Remote Access (AC-17)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "emr_cluster_master_nodes_no_public_ip", + "awslambda_function_not_publicly_accessible", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "s3_bucket_public_access", + "sagemaker_notebook_instance_without_direct_internet_access_configured", + "ec2_securitygroup_default_restrict_traffic", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "ac_17_1", + "Name": "AC-17(1) Monitoring And Control", + "Description": "Employ automated mechanisms to monitor and control remote access methods.", + "Attributes": [ + { + "ItemId": "ac_17_1", + "Section": "Access Control (AC)", + "SubSection": "Remote Access (AC-17)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "emr_cluster_master_nodes_no_public_ip", + "awslambda_function_not_publicly_accessible", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "s3_bucket_public_access", + "sagemaker_notebook_instance_without_direct_internet_access_configured", + "ec2_securitygroup_default_restrict_traffic", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "ac_17_2", + "Name": "AC-17(2) Protection Of Confidentiality And Integrity Using Encryption", + "Description": "Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.", + "Attributes": [ + { + "ItemId": "ac_17_2", + "Section": "Access Control (AC)", + "SubSection": "Remote Access (AC-17)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_client_certificate_enabled", + "elb_ssl_listeners", + "s3_bucket_secure_transport_policy" + ] + }, + { + "Id": "ac_17_4_a", + "Name": "AC-17(4)(a)", + "Description": "Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: [Assignment: organization-defined needs];", + "Attributes": [ + { + "ItemId": "ac_17_4_a", + "Section": "Access Control (AC)", + "SubSection": "Remote Access (AC-17)", + "SubGroup": "AC-17(4) Privileged Commands And Access", + "Service": "aws" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "emr_cluster_master_nodes_no_public_ip", + "awslambda_function_not_publicly_accessible", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "s3_bucket_public_access", + "sagemaker_notebook_instance_without_direct_internet_access_configured", + "ec2_securitygroup_default_restrict_traffic", + "ec2_networkacl_allow_ingress_any_port", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "ac_17_9", + "Name": "AC-17(9) Disconnect Or Disable Access", + "Description": "Provide the capability to disconnect or disable remote access to the system within [Assignment: organization-defined time period].", + "Attributes": [ + { + "ItemId": "ac_17_9", + "Section": "Access Control (AC)", + "SubSection": "Remote Access (AC-17)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "emr_cluster_master_nodes_no_public_ip", + "awslambda_function_not_publicly_accessible", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "s3_bucket_public_access", + "sagemaker_notebook_instance_without_direct_internet_access_configured", + "ec2_securitygroup_default_restrict_traffic", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "ac_17_10", + "Name": "AC-17(10) Authenticate Remote Commands", + "Description": "Provide the capability to disconnect or disable remote access to the system within [Assignment: organization-defined time period].", + "Attributes": [ + { + "ItemId": "ac_17_10", + "Section": "Access Control (AC)", + "SubSection": "Remote Access (AC-17)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "emr_cluster_master_nodes_no_public_ip", + "awslambda_function_not_publicly_accessible", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "s3_bucket_public_access", + "sagemaker_notebook_instance_without_direct_internet_access_configured", + "ec2_securitygroup_default_restrict_traffic", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "ac_24", + "Name": "Access Control Decisions (AC-24)", + "Description": "[Selection: Establish procedures; Implement mechanisms] to ensure [Assignment: organization-defined access control decisions] are applied to each access request prior to access enforcement.", + "Attributes": [ + { + "ItemId": "ac_24", + "Section": "Access Control (AC)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_imdsv2_enabled", + "iam_password_policy_minimum_length_14", + "iam_policy_attached_only_to_group_or_roles", + "iam_policy_no_administrative_privileges", + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_no_root_access_key", + "iam_rotate_access_key_90_days", + "iam_user_mfa_enabled_console_access", + "iam_user_mfa_enabled_console_access", + "iam_disable_90_days_credentials", + "secretsmanager_automatic_rotation_enabled" + ] + }, + { + "Id": "ac_24_1", + "Name": "AC-24(1)", + "Description": "Transmit [Assignment: organization-defined access authorization information] using [Assignment: organization-defined controls] to [Assignment: organization-defined systems] that enforce access control decisions.", + "Attributes": [ + { + "ItemId": "ac_24_1", + "Section": "Access Control (AC)", + "SubSection": "Access Control Decisions (AC-24)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_client_certificate_enabled", + "elb_ssl_listeners", + "opensearch_service_domains_node_to_node_encryption_enabled", + "s3_bucket_secure_transport_policy" + ] + }, + { + "Id": "au_2_b", + "Name": "AU-2(b)", + "Description": "Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged.", + "Attributes": [ + { + "ItemId": "au_2_b", + "Section": "Audit and Accountability (AU)", + "SubSection": "Event Logging (AU-2)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "au_3_1", + "Name": "AU-3(1) Additional Audit Information", + "Description": "Generate audit records containing the following additional information: [Assignment: organization-defined additional information].", + "Attributes": [ + { + "ItemId": "au_3_1", + "Section": "Audit and Accountability (AU)", + "SubSection": "Content of Audit Records (AU-3)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "guardduty_is_enabled" + ] + }, + { + "Id": "au_3_a", + "Name": "AU-3(a)", + "Description": "Ensure that audit records contain information that establishes the following: a. What type of event occurred.", + "Attributes": [ + { + "ItemId": "au_3_a", + "Section": "Audit and Accountability (AU)", + "SubSection": "Content of Audit Records (AU-3)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "au_3_b", + "Name": "AU-3(b)", + "Description": "Ensure that audit records contain information that establishes the following: b. When the event occurred.", + "Attributes": [ + { + "ItemId": "au_3_b", + "Section": "Audit and Accountability (AU)", + "SubSection": "Content of Audit Records (AU-3)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "au_3_c", + "Name": "AU-3(c)", + "Description": "Ensure that audit records contain information that establishes the following: c. Where the event occurred.", + "Attributes": [ + { + "ItemId": "au_3_c", + "Section": "Audit and Accountability (AU)", + "SubSection": "Content of Audit Records (AU-3)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "au_3_d", + "Name": "AU-3(d)", + "Description": "Ensure that audit records contain information that establishes the following: d. Source of the event.", + "Attributes": [ + { + "ItemId": "au_3_d", + "Section": "Audit and Accountability (AU)", + "SubSection": "Content of Audit Records (AU-3)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "au_3_e", + "Name": "AU-3(e)", + "Description": "Ensure that audit records contain information that establishes the following: e. Outcome of the event.", + "Attributes": [ + { + "ItemId": "au_3_e", + "Section": "Audit and Accountability (AU)", + "SubSection": "Content of Audit Records (AU-3)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "au_3_f", + "Name": "AU-3(f)", + "Description": "Ensure that audit records contain information that establishes the following: e. Outcome of the event.", + "Attributes": [ + { + "ItemId": "au_3_f", + "Section": "Audit and Accountability (AU)", + "SubSection": "Content of Audit Records (AU-3)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled" + ] + }, + { + "Id": "au_4_1", + "Name": "AU-4(1) Transfer To Alternate Storage", + "Description": "Transfer audit logs [Assignment: organization-defined frequency] to a different system, system component, or media other than the system or system component conducting the logging.", + "Attributes": [ + { + "ItemId": "au_4_1", + "Section": "Audit and Accountability (AU)", + "SubSection": "Audit Log Stprage Capacity (AU-4)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_cloudwatch_logging_enabled" + ] + }, + { + "Id": "au_6_1", + "Name": "AU-6(1) Automated Process Integration", + "Description": "Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated mechanisms].", + "Attributes": [ + { + "ItemId": "au_6_1", + "Section": "Audit and Accountability (AU)", + "SubSection": "Audit Record Review, Analysis And Reporting (AU-6)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_cloudwatch_logging_enabled", + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured", + "guardduty_is_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "au_6_3", + "Name": "AU-6(3) Correlate Audit Record Repositories", + "Description": "Analyze and correlate audit records across different repositories to gain organization-wide situational awareness.", + "Attributes": [ + { + "ItemId": "au_6_3", + "Section": "Audit and Accountability (AU)", + "SubSection": "Audit Record Review, Analysis And Reporting (AU-6)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "cloudwatch_log_group_retention_policy_specific_days_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "au_6_4", + "Name": "AU-6(4) Central Review And Analysis", + "Description": "Provide and implement the capability to centrally review and analyze audit records from multiple components within the system.", + "Attributes": [ + { + "ItemId": "au_6_4", + "Section": "Audit and Accountability (AU)", + "SubSection": "Audit Record Review, Analysis And Reporting (AU-6)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "cloudwatch_log_group_retention_policy_specific_days_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "au_6_5", + "Name": "AU-6(5) Central Review And Analysis", + "Description": "Integrate analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity.", + "Attributes": [ + { + "ItemId": "au_6_5", + "Section": "Audit and Accountability (AU)", + "SubSection": "Audit Record Review, Analysis And Reporting (AU-6)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_cloudwatch_logging_enabled", + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured", + "guardduty_is_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "au_6_6", + "Name": "AU-6(6) Correletion With Physical Monitoring", + "Description": "Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.", + "Attributes": [ + { + "ItemId": "au_6_6", + "Section": "Audit and Accountability (AU)", + "SubSection": "Audit Record Review, Analysis And Reporting (AU-6)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "cloudwatch_log_group_retention_policy_specific_days_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "au_6_9", + "Name": "AU-6(9) Correletion With From Nontechnical Sources", + "Description": "Correlate information from nontechnical sources with audit record information to enhance organization-wide situational awareness.", + "Attributes": [ + { + "ItemId": "au_6_9", + "Section": "Audit and Accountability (AU)", + "SubSection": "Audit Record Review, Analysis And Reporting (AU-6)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "cloudwatch_log_group_retention_policy_specific_days_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "au_7_1", + "Name": "AU-7(1) Automatic Processing", + "Description": "Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: [Assignment: organization-defined fields within audit records].", + "Attributes": [ + { + "ItemId": "au_7_1", + "Section": "Audit and Accountability (AU)", + "SubSection": "Audit Record Reduction And Report Generation (AU-7)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_cloudwatch_logging_enabled" + ] + }, + { + "Id": "au_8_b", + "Name": "AU-8(b)", + "Description": "Record time stamps for audit records that meet [Assignment: organization-defined granularity of time measurement] and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp.", + "Attributes": [ + { + "ItemId": "au_8_b", + "Section": "Audit and Accountability (AU)", + "SubSection": "Time Stamps (AU-8)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "au_9_a", + "Name": "AU-9(a)", + "Description": "Protect audit information and audit logging tools from unauthorized access, modification, and deletion.", + "Attributes": [ + { + "ItemId": "au_9_a", + "Section": "Audit and Accountability (AU)", + "SubSection": "Protection of Audit Information (AU-9)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_log_file_validation_enabled" + ] + }, + { + "Id": "au_9_2", + "Name": "AU-9(2) Store On Separate Physical Systems Or Components", + "Description": "Store audit records [Assignment: organization-defined frequency] in a repository that is part of a physically different system or system component than the system or component being audited.", + "Attributes": [ + { + "ItemId": "au_9_2", + "Section": "Audit and Accountability (AU)", + "SubSection": "Protection of Audit Information (AU-9)", + "Service": "s3" + } + ], + "Checks": [ + "s3_bucket_object_versioning" + ] + }, + { + "Id": "au_9_3", + "Name": "AU-9(3) Cryptographic Protection", + "Description": "Implement cryptographic mechanisms to protect the integrity of audit information and audit tools.", + "Attributes": [ + { + "ItemId": "au_9_3", + "Section": "Audit and Accountability (AU)", + "SubSection": "Protection of Audit Information (AU-9)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_client_certificate_enabled", + "cloudtrail_kms_encryption_enabled", + "dynamodb_tables_kms_cmk_encryption_enabled", + "ec2_ebs_volume_encryption", + "ec2_ebs_default_encryption", + "efs_encryption_at_rest_enabled", + "elb_ssl_listeners", + "opensearch_service_domains_encryption_at_rest_enabled", + "opensearch_service_domains_node_to_node_encryption_enabled", + "cloudwatch_log_group_kms_encryption_enabled", + "rds_instance_storage_encrypted", + "rds_instance_storage_encrypted", + "redshift_cluster_audit_logging", + "s3_bucket_default_encryption", + "s3_bucket_secure_transport_policy", + "sagemaker_notebook_instance_encryption_enabled", + "sns_topics_kms_encryption_at_rest_enabled" + ] + }, + { + "Id": "au_9_7", + "Name": "AU-9(7) Store On Component With Different Operation Systems", + "Description": "Store audit information on a component running a different operating system than the system or component being audited.", + "Attributes": [ + { + "ItemId": "au_9_7", + "Section": "Audit and Accountability (AU)", + "SubSection": "Protection of Audit Information (AU-9)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_cloudwatch_logging_enabled" + ] + }, + { + "Id": "au_10", + "Name": "Non-Repudiation (AU-10)", + "Description": "Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed [Assignment: organization-defined actions to be covered by non-repudiation].", + "Attributes": [ + { + "ItemId": "au_10", + "Section": "Audit and Accountability (AU)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "cloudwatch_log_group_retention_policy_specific_days_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "opensearch_service_domains_cloudwatch_logging_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled" + ] + }, + { + "Id": "au_11", + "Name": "Audit Record Retention (AU-11)", + "Description": "Retain audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.", + "Attributes": [ + { + "ItemId": "au_11", + "Section": "Audit and Accountability (AU)", + "Service": "cloudwatch" + } + ], + "Checks": [ + "cloudwatch_log_group_retention_policy_specific_days_enabled" + ] + }, + { + "Id": "au_11_1", + "Name": "AU-11(1) Long-Term Retrieval Capability", + "Description": "Employ [Assignment: organization-defined measures] to ensure that long-term audit records generated by the system can be retrieved.", + "Attributes": [ + { + "ItemId": "au_11_1", + "Section": "Audit and Accountability (AU)", + "SubSection": "Audit Record Retention (AU-11)", + "Service": "cloudwatch" + } + ], + "Checks": [ + "cloudwatch_log_group_retention_policy_specific_days_enabled" + ] + }, + { + "Id": "au_12_a", + "Name": "AU-12(a)", + "Description": "Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on [Assignment: organization-defined system components].", + "Attributes": [ + { + "ItemId": "au_12_a", + "Section": "Audit and Accountability (AU)", + "SubSection": "Audit Record Generation (AU-12)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "au_12_c", + "Name": "AU-12(c)", + "Description": "Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3.", + "Attributes": [ + { + "ItemId": "au_12_c", + "Section": "Audit and Accountability (AU)", + "SubSection": "Audit Record Generation (AU-12)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "au_12_1", + "Name": "AU-12(1) System-Wide And Time-Correlated Audit Trial", + "Description": "Compile audit records from [Assignment: organization-defined system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail].", + "Attributes": [ + { + "ItemId": "au_12_1", + "Section": "Audit and Accountability (AU)", + "SubSection": "Audit Record Generation (AU-12)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "cloudwatch_log_group_retention_policy_specific_days_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "au_12_2", + "Name": "AU-12(2) Standardized Formats", + "Description": "Produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format.", + "Attributes": [ + { + "ItemId": "au_12_2", + "Section": "Audit and Accountability (AU)", + "SubSection": "Audit Record Generation (AU-12)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "cloudwatch_log_group_retention_policy_specific_days_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "au_12_3", + "Name": "AU-12(3) Changes By Authorized Individuals", + "Description": "Provide and implement the capability for [Assignment: organization-defined individuals or roles] to change the logging to be performed on [Assignment: organization-defined system components] based on [Assignment: organization-defined selectable event criteria] within [Assignment: organization-defined time thresholds].", + "Attributes": [ + { + "ItemId": "au_12_3", + "Section": "Audit and Accountability (AU)", + "SubSection": "Audit Record Generation (AU-12)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured", + "cloudwatch_log_group_retention_policy_specific_days_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "guardduty_is_enabled", + "rds_instance_enhanced_monitoring_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "securityhub_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "au_12_4", + "Name": "AU-12(4) Query Parameter Audits Of Personally Identifiable Information", + "Description": "Provide and implement the capability for auditing the parameters of user query events for data sets containing personally identifiable information.", + "Attributes": [ + { + "ItemId": "au_12_4", + "Section": "Audit and Accountability (AU)", + "SubSection": "Audit Record Generation (AU-12)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "au_14_a", + "Name": "AU-14(a)", + "Description": "Provide and implement the capability for [Assignment: organization-defined users or roles] to [Selection (one or more): record; view; hear; log] the content of a user session under [Assignment: organization-defined circumstances].", + "Attributes": [ + { + "ItemId": "au_14_a", + "Section": "Audit and Accountability (AU)", + "SubSection": "Session Audit (AU-14)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured", + "cloudwatch_log_group_retention_policy_specific_days_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "guardduty_is_enabled", + "rds_instance_enhanced_monitoring_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "securityhub_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "au_14_b", + "Name": "AU-14(b)", + "Description": "Develop, integrate, and use session auditing activities in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.", + "Attributes": [ + { + "ItemId": "au_14_b", + "Section": "Audit and Accountability (AU)", + "SubSection": "Session Audit (AU-14)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured", + "cloudwatch_log_group_retention_policy_specific_days_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "guardduty_is_enabled", + "rds_instance_enhanced_monitoring_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "securityhub_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "au_14_3", + "Name": "AU-14(3) Remote Viewing And Listening", + "Description": "Provide and implement the capability for authorized users to remotely view and hear content related to an established user session in real time.", + "Attributes": [ + { + "ItemId": "au_14_3", + "Section": "Audit and Accountability (AU)", + "SubSection": "Session Audit (AU-14)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "au_16", + "Name": "Cross-Organizational Audit Logging (AU-16)", + "Description": "Employ [Assignment: organization-defined methods] for coordinating [Assignment: organization-defined audit information] among external organizations when audit information is transmitted across organizational boundaries.", + "Attributes": [ + { + "ItemId": "au_16", + "Section": "Audit and Accountability (AU)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_cloudwatch_logging_enabled" + ] + }, + { + "Id": "ca_2_2", + "Name": "CA-2(2) Specialized Assessments", + "Description": "Include as part of control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious user testing; insider threat assessment; performance and load testing; data leakage or data loss assessment; [Assignment: organization-defined other forms of assessment]].", + "Attributes": [ + { + "ItemId": "ca_2_2", + "Section": "Assessment, Authorization, And Monitoring (CA)", + "SubSection": "Control Assessments (CA-2)", + "Service": "aws" + } + ], + "Checks": [ + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured", + "rds_instance_enhanced_monitoring_enabled" + ] + }, + { + "Id": "ca_2_d", + "Name": "CA-2(d)", + "Description": "Assess the controls in the system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements.", + "Attributes": [ + { + "ItemId": "ca_2_d", + "Section": "Assessment, Authorization, And Monitoring (CA)", + "SubSection": "Control Assessments (CA-2)", + "Service": "aws" + } + ], + "Checks": [ + "guardduty_is_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "ca_7", + "Name": "Continuous Monitoring (CA-7)", + "Description": "Continuously monitor configuration management processes. Determine security impact, environment and operational risks.", + "Attributes": [ + { + "ItemId": "ca_7", + "Section": "Assessment, Authorization, And Monitoring (CA)", + "Service": "aws" + } + ], + "Checks": [ + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured", + "guardduty_is_enabled", + "rds_instance_enhanced_monitoring_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "ca_7_b", + "Name": "CA-7(b)", + "Description": "Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness.", + "Attributes": [ + { + "ItemId": "ca_7_b", + "Section": "Assessment, Authorization, And Monitoring (CA)", + "SubSection": "Continuous Monitoring (CA-7)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured", + "cloudwatch_log_group_retention_policy_specific_days_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "guardduty_is_enabled", + "rds_instance_enhanced_monitoring_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "securityhub_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "ca_7_4_c", + "Name": "CA-7(4)(c)", + "Description": "Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following: (c) Change monitoring.", + "Attributes": [ + { + "ItemId": "ca_7_4_c", + "Section": "Assessment, Authorization, And Monitoring (CA)", + "SubSection": "Continuous Monitoring (CA-7)", + "SubGroup": "CA-7(4) Risk Monitoring", + "Service": "aws" + } + ], + "Checks": [ + "elbv2_deletion_protection", + "rds_instance_deletion_protection" + ] + }, + { + "Id": "ca_9_b", + "Name": "CA-9(b)", + "Description": "Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated.", + "Attributes": [ + { + "ItemId": "ca_9_b", + "Section": "Assessment, Authorization, And Monitoring (CA)", + "SubSection": "Internal System Connections (CA-9)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_client_certificate_enabled", + "elb_ssl_listeners", + "opensearch_service_domains_node_to_node_encryption_enabled", + "s3_bucket_secure_transport_policy" + ] + }, + { + "Id": "cm_2_a", + "Name": "CM-2(a)", + "Description": "Develop, document, and maintain under configuration control, a current baseline configuration of the system.", + "Attributes": [ + { + "ItemId": "cm_2_a", + "Section": "Configuration Management (CM)", + "SubSection": "Baseline Configuration (CM-2)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_managed_by_ssm", + "ec2_instance_older_than_specific_days", + "elbv2_deletion_protection", + "ssm_managed_compliant_patching", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "cm_2_b", + "Name": "CM-2(b)", + "Description": "Review and update the baseline configuration of the system: 1. [Assignment: organization-defined frequency]; 2. When required due to [Assignment: organization-defined circumstances]; and 3. When system components are installed or upgraded.", + "Attributes": [ + { + "ItemId": "cm_2_b", + "Section": "Configuration Management (CM)", + "SubSection": "Baseline Configuration (CM-2)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_managed_by_ssm", + "ec2_instance_older_than_specific_days", + "redshift_cluster_automatic_upgrades", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "cm_2_b_1", + "Name": "CM-2(b)(1)", + "Description": "Review and update the baseline configuration of the system: 1. [Assignment: organization-defined frequency].", + "Attributes": [ + { + "ItemId": "cm_2_b_1", + "Section": "Configuration Management (CM)", + "SubSection": "Baseline Configuration (CM-2)", + "SubGroup": "CM-2(b)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_managed_by_ssm", + "ec2_instance_older_than_specific_days", + "redshift_cluster_automatic_upgrades", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "cm_2_b_2", + "Name": "CM-2(b)(2)", + "Description": "Review and update the baseline configuration of the system: 2. When required due to [Assignment: organization-defined circumstances].", + "Attributes": [ + { + "ItemId": "cm_2_b_2", + "Section": "Configuration Management (CM)", + "SubSection": "Baseline Configuration (CM-2)", + "SubGroup": "CM-2(b)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_managed_by_ssm", + "ec2_instance_older_than_specific_days", + "redshift_cluster_automatic_upgrades", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "cm_2_b_3", + "Name": "CM-2(b)(3)", + "Description": "Review and update the baseline configuration of the system: 3 When system components are installed or upgraded.", + "Attributes": [ + { + "ItemId": "cm_2_b_3", + "Section": "Configuration Management (CM)", + "SubSection": "Baseline Configuration (CM-2)", + "SubGroup": "CM-2(b)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_managed_by_ssm", + "ec2_instance_older_than_specific_days", + "redshift_cluster_automatic_upgrades", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "cm_2_2", + "Name": "CM-2(2) Automation Support For Accuracy And Currency", + "Description": "Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using [Assignment: organization-defined automated mechanisms].", + "Attributes": [ + { + "ItemId": "cm_2_2", + "Section": "Configuration Management (CM)", + "SubSection": "Baseline Configuration (CM-2)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_managed_by_ssm", + "ec2_instance_older_than_specific_days", + "elbv2_deletion_protection", + "ssm_managed_compliant_patching", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "cm_3_3", + "Name": "CM-3(3) Automated Change Implementation", + "Description": "Implement changes to the current system baseline and deploy the updated baseline across the installed base using [Assignment: organization-defined automated mechanisms].", + "Attributes": [ + { + "ItemId": "cm_3_3", + "Section": "Configuration Management (CM)", + "SubSection": "Configuration Change Control (CM-3)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_managed_by_ssm", + "ec2_instance_older_than_specific_days", + "redshift_cluster_automatic_upgrades", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "cm_3_a", + "Name": "CM-3(a)", + "Description": "Determine and document the types of changes to the system that are configuration-controlled.", + "Attributes": [ + { + "ItemId": "cm_3_a", + "Section": "Configuration Management (CM)", + "SubSection": "Configuration Change Control (CM-3)", + "Service": "aws" + } + ], + "Checks": [ + "elbv2_deletion_protection", + "rds_instance_deletion_protection" + ] + }, + { + "Id": "cm_5_1_a", + "Name": "CM-5(1)(a)", + "Description": "Enforce access restrictions using [Assignment: organization-defined automated mechanisms].", + "Attributes": [ + { + "ItemId": "cm_5_1_a", + "Section": "Configuration Management (CM)", + "SubSection": "Access Restrictions For Change (CM-5)", + "SubGroup": "CM-5(1) Automated Access Enforcement And Audit Records", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_profile_attached", + "ec2_instance_imdsv2_enabled", + "iam_password_policy_minimum_length_14", + "iam_policy_no_administrative_privileges", + "iam_policy_attached_only_to_group_or_roles", + "iam_policy_no_administrative_privileges", + "iam_root_hardware_mfa_enabled", + "iam_no_root_access_key", + "iam_rotate_access_key_90_days", + "iam_user_mfa_enabled_console_access", + "iam_user_mfa_enabled_console_access", + "iam_disable_90_days_credentials", + "secretsmanager_automatic_rotation_enabled" + ] + }, + { + "Id": "cm_5_1_b", + "Name": "CM-5(1)(b)", + "Description": "Automatically generate audit records of the enforcement actions.", + "Attributes": [ + { + "ItemId": "cm_5_1_b", + "Section": "Configuration Management (CM)", + "SubSection": "Access Restrictions For Change (CM-5)", + "SubGroup": "CM-5(1) Automated Access Enforcement And Audit Records", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "cm_6", + "Name": "Configuration Settings (CM-6)", + "Description": "The organization: (i) establishes mandatory configuration settings for information technology products employed within the information system; (ii) configures the security settings of information technology products to the most restrictive mode consistent with operational requirements; (iii) documents the configuration settings; and (iv) enforces the configuration settings in all components of the information system.", + "Attributes": [ + { + "ItemId": "cm_6", + "Section": "Configuration Management (CM)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_managed_by_ssm", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "cm_6_a", + "Name": "CM-6(a)", + "Description": "Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: organization-defined common secure configurations].", + "Attributes": [ + { + "ItemId": "cm_6_a", + "Section": "Configuration Management (CM)", + "SubSection": "Configuration Settings (CM-6)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "cloudtrail_kms_encryption_enabled", + "cloudtrail_log_file_validation_enabled", + "ec2_ebs_volume_encryption", + "ec2_ebs_default_encryption", + "ec2_instance_profile_attached", + "iam_password_policy_minimum_length_14", + "iam_policy_attached_only_to_group_or_roles", + "iam_policy_no_administrative_privileges", + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_no_root_access_key", + "iam_rotate_access_key_90_days", + "iam_user_mfa_enabled_console_access", + "iam_disable_90_days_credentials", + "kms_cmk_rotation_enabled", + "s3_bucket_default_encryption", + "s3_bucket_secure_transport_policy", + "s3_bucket_server_access_logging_enabled", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "ec2_securitygroup_default_restrict_traffic", + "vpc_flow_logs_enabled", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "cm_7_b", + "Name": "CM-7(b)", + "Description": "Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services].", + "Attributes": [ + { + "ItemId": "cm_7_b", + "Section": "Configuration Management (CM)", + "SubSection": "Least Functionality (CM-7)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "cm_8_1", + "Name": "CM-8(1) Updates During Installation And Removals", + "Description": "Update the inventory of system components as part of component installations, removals, and system updates.", + "Attributes": [ + { + "ItemId": "cm_8_1", + "Section": "Configuration Management (CM)", + "SubSection": "System Component Inventory (CM-8)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_managed_by_ssm", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "cm_8_2", + "Name": "CM-8(2) Automated Maintenance", + "Description": "Maintain the currency, completeness, accuracy, and availability of the inventory of system components using [Assignment: organization-defined automated mechanisms].", + "Attributes": [ + { + "ItemId": "cm_8_2", + "Section": "Configuration Management (CM)", + "SubSection": "System Component Inventory (CM-8)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_managed_by_ssm" + ] + }, + { + "Id": "cm_8_3_a", + "Name": "CM-8(3)(a)", + "Description": "Detect the presence of unauthorized hardware, software, and firmware components within the system using [Assignment: organization-defined automated mechanisms] [Assignment: organization-defined frequency].", + "Attributes": [ + { + "ItemId": "cm_8_3_a", + "Section": "Configuration Management (CM)", + "SubSection": "System Component Inventory (CM-8)", + "SubGroup": "CM-8(3) Automated Unauthorized Component Detection", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_managed_by_ssm", + "guardduty_is_enabled", + "ssm_managed_compliant_patching", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "cm_8_6", + "Name": "CM-8(6) Assessed Configurations And Approved Deviations", + "Description": "Include assessed component configurations and any approved deviations to current deployed configurations in the system component inventory.", + "Attributes": [ + { + "ItemId": "cm_8_6", + "Section": "Configuration Management (CM)", + "SubSection": "System Component Inventory (CM-8)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_managed_by_ssm", + "ec2_instance_older_than_specific_days", + "elbv2_deletion_protection", + "ssm_managed_compliant_patching", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "cm_8_a", + "Name": "CM-8(a)", + "Description": "Develop and document an inventory of system components that: 1. Accurately reflects the system; 2. Includes all components within the system; 3. Does not include duplicate accounting of components or components assigned to any other system; 4. Is at the level of granularity deemed necessary for tracking and reporting; and 5. Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability].", + "Attributes": [ + { + "ItemId": "cm_8_a", + "Section": "Configuration Management (CM)", + "SubSection": "System Component Inventory (CM-8)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_managed_by_ssm", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "cm_8_a_1", + "Name": "CM-8(a)(1)", + "Description": "Develop and document an inventory of system components that: 1. Accurately reflects the system.", + "Attributes": [ + { + "ItemId": "cm_8_a_1", + "Section": "Configuration Management (CM)", + "SubSection": "System Component Inventory (CM-8)", + "SubGroup": "CM-8(a)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_managed_by_ssm", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "cm_8_a_2", + "Name": "CM-8(a)(2)", + "Description": "Develop and document an inventory of system components that: 2. Includes all components within the system.", + "Attributes": [ + { + "ItemId": "cm_8_a_2", + "Section": "Configuration Management (CM)", + "SubSection": "System Component Inventory (CM-8)", + "SubGroup": "CM-8(a)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_managed_by_ssm", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "cm_8_a_3", + "Name": "CM-8(a)(3)", + "Description": "Develop and document an inventory of system components that: 3. Does not include duplicate accounting of components or components assigned to any other system.", + "Attributes": [ + { + "ItemId": "cm_8_a_3", + "Section": "Configuration Management (CM)", + "SubSection": "System Component Inventory (CM-8)", + "SubGroup": "CM-8(a)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_managed_by_ssm", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "cm_8_a_4", + "Name": "CM-8(a)(4)", + "Description": "Develop and document an inventory of system components that: 4. Is at the level of granularity deemed necessary for tracking and reporting.", + "Attributes": [ + { + "ItemId": "cm_8_a_4", + "Section": "Configuration Management (CM)", + "SubSection": "System Component Inventory (CM-8)", + "SubGroup": "CM-8(a)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_managed_by_ssm", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "cm_8_a_5", + "Name": "CM-8(a)(5)", + "Description": "Develop and document an inventory of system components that: 5. Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability].", + "Attributes": [ + { + "ItemId": "cm_8_a_5", + "Section": "Configuration Management (CM)", + "SubSection": "System Component Inventory (CM-8)", + "SubGroup": "CM-8(a)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_managed_by_ssm", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "cm_8_b", + "Name": "CM-8(b)", + "Description": "Review and update the system component inventory [Assignment: organization-defined frequency].", + "Attributes": [ + { + "ItemId": "cm_8_b", + "Section": "Configuration Management (CM)", + "SubSection": "System Component Inventory (CM-8)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_managed_by_ssm", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "cm_9_b", + "Name": "CM-9(b)", + "Description": "Develop, document, and implement a configuration management plan for the system that: b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items.", + "Attributes": [ + { + "ItemId": "cm_9_b", + "Section": "Configuration Management (CM)", + "SubSection": "Configuration Management Plan (CM-9)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "cloudtrail_kms_encryption_enabled", + "cloudtrail_log_file_validation_enabled", + "ec2_ebs_volume_encryption", + "ec2_ebs_default_encryption", + "iam_password_policy_minimum_length_14", + "iam_policy_attached_only_to_group_or_roles", + "iam_policy_no_administrative_privileges", + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_no_root_access_key", + "iam_rotate_access_key_90_days", + "iam_user_mfa_enabled_console_access", + "iam_disable_90_days_credentials", + "kms_cmk_rotation_enabled", + "s3_bucket_default_encryption", + "s3_bucket_secure_transport_policy", + "s3_bucket_server_access_logging_enabled", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "ec2_securitygroup_default_restrict_traffic", + "vpc_flow_logs_enabled", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22" + ] + }, + { + "Id": "cm_12_b", + "Name": "CM-12(b)", + "Description": "Identify and document the users who have access to the system and system components where the information is processed and stored.", + "Attributes": [ + { + "ItemId": "cm_12_b", + "Section": "Configuration Management (CM)", + "SubSection": "Information Location (CM-12)", + "Service": "aws" + } + ], + "Checks": [ + "iam_password_policy_minimum_length_14" + ] + }, + { + "Id": "cp_1_a_1_b", + "Name": "CP-1(a)(1)(b)", + "Description": "a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] contingency planning policy that: (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.", + "Attributes": [ + { + "ItemId": "cp_1_a_1_b", + "Section": "Contingency Planning (CP)", + "SubSection": "Policy And Procedures (CP-1)", + "SubGroup": "CP-1(a)", + "Service": "aws" + } + ], + "Checks": [ + "elbv2_deletion_protection", + "rds_instance_deletion_protection", + "rds_instance_multi_az" + ] + }, + { + "Id": "cp_1_a_2", + "Name": "CP-1(a)(2)", + "Description": "a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 2. Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls.", + "Attributes": [ + { + "ItemId": "cp_1_a_2", + "Section": "Contingency Planning (CP)", + "SubSection": "Policy And Procedures (CP-1)", + "SubGroup": "CP-1(a)", + "Service": "aws" + } + ], + "Checks": [ + "elbv2_deletion_protection", + "rds_instance_deletion_protection", + "rds_instance_multi_az" + ] + }, + { + "Id": "cp_1_2", + "Name": "CP-1(2)", + "Description": "Implement transaction recovery for systems that are transaction-based.", + "Attributes": [ + { + "ItemId": "cp_1_2", + "Section": "Contingency Planning (CP)", + "SubSection": "Policy And Procedures (CP-1)", + "Service": "aws" + } + ], + "Checks": [ + "efs_have_backup_enabled", + "rds_instance_backup_enabled", + "redshift_cluster_automated_snapshot", + "rds_instance_backup_enabled", + "dynamodb_tables_pitr_enabled", + "s3_bucket_object_versioning" + ] + }, + { + "Id": "cp_2_a", + "Name": "CP-2(a)", + "Description": "a. Develop a contingency plan for the system that: 1. Identifies essential mission and business functions and associated contingency requirements; 2. Provides recovery objectives, restoration priorities, and metrics; 3. Addresses contingency roles, responsibilities, assigned individuals with contact information; 4. Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure; 5. Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented; 6. Addresses the sharing of contingency information; and 7. Is reviewed and approved by [Assignment: organization-defined personnel or roles]", + "Attributes": [ + { + "ItemId": "cp_2_a", + "Section": "Contingency Planning (CP)", + "SubSection": "Contingency Plan (CP-2)", + "Service": "aws" + } + ], + "Checks": [ + "elbv2_deletion_protection", + "rds_instance_deletion_protection", + "rds_instance_multi_az" + ] + }, + { + "Id": "cp_2_a_6", + "Name": "CP-2(a)(6)", + "Description": "Develop a contingency plan for the system that: 6. Addresses the sharing of contingency information.", + "Attributes": [ + { + "ItemId": "cp_2_a_6", + "Section": "Contingency Planning (CP)", + "SubSection": "Contingency Plan (CP-2)", + "SubGroup": "CP-2(a)", + "Service": "aws" + } + ], + "Checks": [ + "elbv2_deletion_protection", + "rds_instance_deletion_protection", + "rds_instance_multi_az" + ] + }, + { + "Id": "cp_2_a_7", + "Name": "CP-2(a)(7)", + "Description": "Develop a contingency plan for the system that: 7. Is reviewed and approved by [Assignment: organization-defined personnel or roles].", + "Attributes": [ + { + "ItemId": "cp_2_a_7", + "Section": "Contingency Planning (CP)", + "SubSection": "Contingency Plan (CP-2)", + "SubGroup": "CP-2(a)", + "Service": "aws" + } + ], + "Checks": [ + "elbv2_deletion_protection", + "rds_instance_deletion_protection", + "rds_instance_multi_az" + ] + }, + { + "Id": "cp_2_d", + "Name": "CP-2(d)", + "Description": "Review the contingency plan for the system [Assignment: organization-defined frequency]", + "Attributes": [ + { + "ItemId": "cp_2_d", + "Section": "Contingency Planning (CP)", + "SubSection": "Contingency Plan (CP-2)", + "Service": "aws" + } + ], + "Checks": [ + "elbv2_deletion_protection", + "rds_instance_deletion_protection", + "rds_instance_multi_az" + ] + }, + { + "Id": "cp_2_e", + "Name": "CP-2(e)", + "Description": "Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing.", + "Attributes": [ + { + "ItemId": "cp_2_e", + "Section": "Contingency Planning (CP)", + "SubSection": "Contingency Plan (CP-2)", + "Service": "aws" + } + ], + "Checks": [ + "elbv2_deletion_protection", + "rds_instance_deletion_protection", + "rds_instance_multi_az" + ] + }, + { + "Id": "cp_2_5", + "Name": "CP-2(5) Continue Mission And Business Functions", + "Description": "Plan for the continuance of [Selection: all; essential] mission and business functions with minimal or no loss of operational continuity and sustains that continuity until full system restoration at primary processing and/or storage sites.", + "Attributes": [ + { + "ItemId": "cp_2_5", + "Section": "Contingency Planning (CP)", + "SubSection": "Contingency Plan (CP-2)", + "Service": "aws" + } + ], + "Checks": [ + "dynamodb_tables_pitr_enabled", + "efs_have_backup_enabled", + "elbv2_deletion_protection", + "rds_instance_backup_enabled", + "rds_instance_deletion_protection", + "rds_instance_backup_enabled", + "rds_instance_multi_az", + "redshift_cluster_automated_snapshot", + "s3_bucket_object_versioning" + ] + }, + { + "Id": "cp_2_6", + "Name": "CP-2(6) Alternate Processing And Storage Sites", + "Description": "Plan for the transfer of [Selection: all; essential] mission and business functions to alternate processing and/or storage sites with minimal or no loss of operational continuity and sustain that continuity through system restoration to primary processing and/or storage sites.", + "Attributes": [ + { + "ItemId": "cp_2_6", + "Section": "Contingency Planning (CP)", + "SubSection": "Contingency Plan (CP-2)", + "Service": "aws" + } + ], + "Checks": [ + "rds_instance_multi_az" + ] + }, + { + "Id": "cp_6_a", + "Name": "CP-6(a)", + "Description": "Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information.", + "Attributes": [ + { + "ItemId": "cp_6_a", + "Section": "Contingency Planning (CP)", + "SubSection": "Alternate Storage Sites (CP-6)", + "Service": "aws" + } + ], + "Checks": [ + "efs_have_backup_enabled", + "rds_instance_backup_enabled", + "rds_instance_backup_enabled", + "redshift_cluster_automated_snapshot", + "s3_bucket_object_versioning" + ] + }, + { + "Id": "cp_6_1", + "Name": "CP-6(1) Separation From Primary Site", + "Description": "Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats.", + "Attributes": [ + { + "ItemId": "cp_6_1", + "Section": "Contingency Planning (CP)", + "SubSection": "Alternate Storage Sites (CP-6)", + "Service": "aws" + } + ], + "Checks": [ + "efs_have_backup_enabled", + "rds_instance_backup_enabled", + "rds_instance_backup_enabled", + "redshift_cluster_automated_snapshot", + "s3_bucket_object_versioning" + ] + }, + { + "Id": "cp_6_2", + "Name": "CP-6(2) Recovery Time And Recovery Point Objectives", + "Description": "Configure the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives.", + "Attributes": [ + { + "ItemId": "cp_6_2", + "Section": "Contingency Planning (CP)", + "SubSection": "Alternate Storage Sites (CP-6)", + "Service": "aws" + } + ], + "Checks": [ + "dynamodb_tables_pitr_enabled", + "efs_have_backup_enabled", + "rds_instance_backup_enabled", + "rds_instance_backup_enabled", + "rds_instance_multi_az", + "redshift_cluster_automated_snapshot", + "s3_bucket_object_versioning" + ] + }, + { + "Id": "cp_9_a", + "Name": "CP-9(a)", + "Description": "Conduct backups of user-level information contained in [Assignment: organization-defined system components] [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives].", + "Attributes": [ + { + "ItemId": "cp_9_a", + "Section": "Contingency Planning (CP)", + "SubSection": "System Backup (CP-9)", + "Service": "aws" + } + ], + "Checks": [ + "dynamodb_tables_pitr_enabled", + "efs_have_backup_enabled", + "rds_instance_backup_enabled", + "rds_instance_backup_enabled", + "redshift_cluster_automated_snapshot", + "redshift_cluster_automatic_upgrades", + "s3_bucket_object_versioning" + ] + }, + { + "Id": "cp_9_b", + "Name": "CP-9(b)", + "Description": "Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives].", + "Attributes": [ + { + "ItemId": "cp_9_b", + "Section": "Contingency Planning (CP)", + "SubSection": "System Backup (CP-9)", + "Service": "aws" + } + ], + "Checks": [ + "dynamodb_tables_pitr_enabled", + "efs_have_backup_enabled", + "rds_instance_backup_enabled", + "rds_instance_backup_enabled", + "redshift_cluster_automated_snapshot", + "redshift_cluster_automatic_upgrades", + "s3_bucket_object_versioning" + ] + }, + { + "Id": "cp_9_c", + "Name": "CP-9(c)", + "Description": "Conduct backups of system documentation, including security- and privacy-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives].", + "Attributes": [ + { + "ItemId": "cp_9_c", + "Section": "Contingency Planning (CP)", + "SubSection": "System Backup (CP-9)", + "Service": "aws" + } + ], + "Checks": [ + "efs_have_backup_enabled", + "rds_instance_backup_enabled", + "redshift_cluster_automated_snapshot", + "rds_instance_backup_enabled", + "dynamodb_tables_pitr_enabled", + "redshift_cluster_automatic_upgrades", + "s3_bucket_object_versioning" + ] + }, + { + "Id": "cp_9_d", + "Name": "CP-9(d)", + "Description": "Protect the confidentiality, integrity, and availability of backup information.", + "Attributes": [ + { + "ItemId": "cp_9_d", + "Section": "Contingency Planning (CP)", + "SubSection": "System Backup (CP-9)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_kms_encryption_enabled", + "ec2_ebs_volume_encryption", + "ec2_ebs_default_encryption", + "efs_encryption_at_rest_enabled", + "opensearch_service_domains_encryption_at_rest_enabled", + "cloudwatch_log_group_kms_encryption_enabled", + "rds_instance_storage_encrypted", + "rds_instance_storage_encrypted", + "redshift_cluster_audit_logging", + "s3_bucket_default_encryption", + "s3_bucket_default_encryption", + "sagemaker_notebook_instance_encryption_enabled", + "sns_topics_kms_encryption_at_rest_enabled" + ] + }, + { + "Id": "cp_9_8", + "Name": "CP-9(8) Cryptographic Protection", + "Description": "Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined backup information].", + "Attributes": [ + { + "ItemId": "cp_9_8", + "Section": "Contingency Planning (CP)", + "SubSection": "System Backup (CP-9)", + "Service": "aws" + } + ], + "Checks": [ + "rds_instance_storage_encrypted", + "s3_bucket_default_encryption", + "s3_bucket_default_encryption" + ] + }, + { + "Id": "cp_10", + "Name": "System Recovery And Reconstitution (CP-10)", + "Description": "Provide for the recovery and reconstitution of the system to a known state within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] after a disruption, compromise, or failure.", + "Attributes": [ + { + "ItemId": "cp_10", + "Section": "Contingency Planning (CP)", + "Service": "aws" + } + ], + "Checks": [ + "dynamodb_tables_pitr_enabled", + "efs_have_backup_enabled", + "rds_instance_backup_enabled", + "rds_instance_backup_enabled", + "rds_instance_multi_az", + "redshift_cluster_automated_snapshot", + "s3_bucket_object_versioning" + ] + }, + { + "Id": "cp_10_2", + "Name": "CP-10(2) Transaction Recovery", + "Description": "Implement transaction recovery for systems that are transaction-based.", + "Attributes": [ + { + "ItemId": "cp_10_2", + "Section": "Contingency Planning (CP)", + "SubSection": "System Recovery And Reconstitution (CP-10)", + "Service": "aws" + } + ], + "Checks": [ + "dynamodb_tables_pitr_enabled", + "efs_have_backup_enabled", + "rds_instance_backup_enabled", + "rds_instance_backup_enabled", + "redshift_cluster_automated_snapshot", + "s3_bucket_object_versioning" + ] + }, + { + "Id": "ia_2", + "Name": "Identification and Authentication (Organizational users) (IA-2)", + "Description": "The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).", + "Attributes": [ + { + "ItemId": "ia_2", + "Section": "Identification and Authentication (IA)", + "Service": "iam" + } + ], + "Checks": [ + "iam_no_root_access_key" + ] + }, + { + "Id": "ia_2_1", + "Name": "IA-2(1) Multi-Factor Authentication To Privileged Accounts", + "Description": "Implement multi-factor authentication for access to privileged accounts.", + "Attributes": [ + { + "ItemId": "ia_2_1", + "Section": "Identification and Authentication (IA)", + "SubSection": "Identification and Authentication (Organizational users) (IA-2)", + "Service": "iam" + } + ], + "Checks": [ + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_user_mfa_enabled_console_access", + "iam_user_mfa_enabled_console_access" + ] + }, + { + "Id": "ia_2_2", + "Name": "IA-2(2) Multi-Factor Authentication To Non-Privileged Accounts", + "Description": "Implement multi-factor authentication for access to non-privileged accounts.", + "Attributes": [ + { + "ItemId": "ia_2_2", + "Section": "Identification and Authentication (IA)", + "SubSection": "Identification and Authentication (Organizational users) (IA-2)", + "Service": "iam" + } + ], + "Checks": [ + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_user_mfa_enabled_console_access", + "iam_user_mfa_enabled_console_access" + ] + }, + { + "Id": "ia_2_6", + "Name": "IA-2(6) Acces To Accounts — Separate Device", + "Description": "Implement multi-factor authentication for [Selection (one or more): local; network; remote] access to [Selection (one or more): privileged accounts; non-privileged accounts] such that: (a) One of the factors is provided by a device separate from the system gaining access; and (b) The device meets [Assignment: organization-defined strength of mechanism requirements].", + "Attributes": [ + { + "ItemId": "ia_2_6", + "Section": "Identification and Authentication (IA)", + "SubSection": "Identification and Authentication (Organizational users) (IA-2)", + "Service": "iam" + } + ], + "Checks": [ + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_user_mfa_enabled_console_access", + "iam_user_mfa_enabled_console_access" + ] + }, + { + "Id": "ia_2_6_a", + "Name": "IA-2(6)(a)", + "Description": "Implement multi-factor authentication for [Selection (one or more): local; network; remote] access to [Selection (one or more): privileged accounts; non-privileged accounts] such that: (a) One of the factors is provided by a device separate from the system gaining access.", + "Attributes": [ + { + "ItemId": "ia_2_6_a", + "Section": "Identification and Authentication (IA)", + "SubSection": "Identification and Authentication (Organizational users) (IA-2)", + "SubGroup": "IA-2(6) Acces To Accounts — Separate Device", + "Service": "iam" + } + ], + "Checks": [ + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_user_mfa_enabled_console_access", + "iam_user_mfa_enabled_console_access" + ] + }, + { + "Id": "ia_2_8", + "Name": "IA-2(8) Access To Accounts — Replay Resistant", + "Description": "Implement replay-resistant authentication mechanisms for access to [Selection (one or more): privileged accounts; non-privileged accounts].", + "Attributes": [ + { + "ItemId": "ia_2_8", + "Section": "Identification and Authentication (IA)", + "SubSection": "Identification and Authentication (Organizational users) (IA-2)", + "Service": "iam" + } + ], + "Checks": [ + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_user_mfa_enabled_console_access", + "iam_user_mfa_enabled_console_access" + ] + }, + { + "Id": "ia_3_3_b", + "Name": "IA-3(3)(b)", + "Description": "Audit lease information when assigned to a device.", + "Attributes": [ + { + "ItemId": "ia_3_3_b", + "Section": "Identification and Authentication (IA)", + "SubSection": "Device Identification And Authentication (IA-3)", + "SubGroup": "IA-3(3) Dynamic Address Allocation", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "apigateway_logging_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "ia_4_b", + "Name": "IA-4(b)", + "Description": "Manage system identifiers by: b. Selecting an identifier that identifies an individual, group, role, service, or device.", + "Attributes": [ + { + "ItemId": "ia_4_b", + "Section": "Identification and Authentication (IA)", + "SubSection": "Identifier Management (IA-4)", + "Service": "iam" + } + ], + "Checks": [ + "iam_no_root_access_key" + ] + }, + { + "Id": "ia_4_d", + "Name": "IA-4(d)", + "Description": "Manage system identifiers by: d. Preventing reuse of identifiers for [Assignment: organization-defined time period].", + "Attributes": [ + { + "ItemId": "ia_4_d", + "Section": "Identification and Authentication (IA)", + "SubSection": "Identifier Management (IA-4)", + "Service": "iam" + } + ], + "Checks": [ + "iam_password_policy_minimum_length_14" + ] + }, + { + "Id": "ia_4_4", + "Name": "IA-4(4)", + "Description": "Manage individual identifiers by uniquely identifying each individual as [Assignment: organization-defined characteristic identifying individual status].", + "Attributes": [ + { + "ItemId": "ia_4_4", + "Section": "Identification and Authentication (IA)", + "SubSection": "Identifier Management (IA-4)", + "Service": "iam" + } + ], + "Checks": [ + "iam_no_root_access_key" + ] + }, + { + "Id": "ia_4_8", + "Name": "IA-4(8)", + "Description": "Generate pairwise pseudonymous identifiers.", + "Attributes": [ + { + "ItemId": "ia_4_8", + "Section": "Identification and Authentication (IA)", + "SubSection": "Identifier Management (IA-4)", + "Service": "iam" + } + ], + "Checks": [ + "iam_no_root_access_key" + ] + }, + { + "Id": "ia_5", + "Name": "Authenticator Management (IA-5)", + "Description": "Authenticate users and devices. Automate administrative control. Enforce restrictions. Protect against unauthorized use.", + "Attributes": [ + { + "ItemId": "ia_5", + "Section": "Identification and Authentication (IA)", + "Service": "aws" + } + ], + "Checks": [ + "iam_password_policy_minimum_length_14" + ] + }, + { + "Id": "ia_5_b", + "Name": "IA-5(b)", + "Description": "Manage system authenticators by: b. Establishing initial authenticator content for any authenticators issued by the organization.", + "Attributes": [ + { + "ItemId": "ia_5_b", + "Section": "Identification and Authentication (IA)", + "SubSection": "Authenticator Management (IA-5)", + "Service": "iam" + } + ], + "Checks": [ + "iam_password_policy_minimum_length_14" + ] + }, + { + "Id": "ia_5_c", + "Name": "IA-5(c)", + "Description": "Manage system authenticators by: c. Ensuring that authenticators have sufficient strength of mechanism for their intended use.", + "Attributes": [ + { + "ItemId": "ia_5_c", + "Section": "Identification and Authentication (IA)", + "SubSection": "Authenticator Management (IA-5)", + "Service": "iam" + } + ], + "Checks": [ + "iam_password_policy_minimum_length_14" + ] + }, + { + "Id": "ia_5_d", + "Name": "IA-5(d)", + "Description": "Manage system authenticators by: d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators.", + "Attributes": [ + { + "ItemId": "ia_5_d", + "Section": "Identification and Authentication (IA)", + "SubSection": "Authenticator Management (IA-5)", + "Service": "iam" + } + ], + "Checks": [ + "iam_password_policy_minimum_length_14" + ] + }, + { + "Id": "ia_5_f", + "Name": "IA-5(f)", + "Description": "Manage system authenticators by: f. Changing or refreshing authenticators [Assignment: organization-defined time period by authenticator type] or when [Assignment: organization-defined events] occur.", + "Attributes": [ + { + "ItemId": "ia_5_f", + "Section": "Identification and Authentication (IA)", + "SubSection": "Authenticator Management (IA-5)", + "Service": "iam" + } + ], + "Checks": [ + "iam_password_policy_minimum_length_14" + ] + }, + { + "Id": "ia_5_h", + "Name": "IA-5(h)", + "Description": "Manage system authenticators by: h. Requiring individuals to take, and having devices implement, specific controls to protect authenticators.", + "Attributes": [ + { + "ItemId": "ia_5_h", + "Section": "Identification and Authentication (IA)", + "SubSection": "Authenticator Management (IA-5)", + "Service": "iam" + } + ], + "Checks": [ + "iam_password_policy_minimum_length_14" + ] + }, + { + "Id": "ia_5_1_c", + "Name": "IA-5(1)(c)", + "Description": "For password-based authentication: (c) Transmit passwords only over cryptographically-protected channels.", + "Attributes": [ + { + "ItemId": "ia_5_1_c", + "Section": "Identification and Authentication (IA)", + "SubSection": "Authenticator Management (IA-5)", + "SubGroup": "IA-5(1) Password-Based Authentication", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_client_certificate_enabled", + "elb_ssl_listeners", + "s3_bucket_secure_transport_policy" + ] + }, + { + "Id": "ia_5_1_f", + "Name": "IA-5(1)(f)", + "Description": "For password-based authentication: (f) Allow user selection of long passwords and passphrases, including spaces and all printable characters.", + "Attributes": [ + { + "ItemId": "ia_5_1_f", + "Section": "Identification and Authentication (IA)", + "SubSection": "Authenticator Management (IA-5)", + "SubGroup": "IA-5(1) Password-Based Authentication", + "Service": "iam" + } + ], + "Checks": [ + "iam_password_policy_minimum_length_14" + ] + }, + { + "Id": "ia_5_1_g", + "Name": "IA-5(1)(g)", + "Description": "For password-based authentication: (g) Employ automated tools to assist the user in selecting strong password authenticators.", + "Attributes": [ + { + "ItemId": "ia_5_1_g", + "Section": "Identification and Authentication (IA)", + "SubSection": "Authenticator Management (IA-5)", + "SubGroup": "IA-5(1) Password-Based Authentication", + "Service": "iam" + } + ], + "Checks": [ + "iam_password_policy_minimum_length_14" + ] + }, + { + "Id": "ia_5_1_h", + "Name": "IA-5(1)(h)", + "Description": "For password-based authentication: (h) Enforce the following composition and complexity rules: [Assignment: organization-defined composition and complexity rules].", + "Attributes": [ + { + "ItemId": "ia_5_1_h", + "Section": "Identification and Authentication (IA)", + "SubSection": "Authenticator Management (IA-5)", + "SubGroup": "IA-5(1) Password-Based Authentication", + "Service": "iam" + } + ], + "Checks": [ + "iam_password_policy_minimum_length_14" + ] + }, + { + "Id": "ia_5_1_h", + "Name": "IA-5(1)(h)", + "Description": "For password-based authentication: (h) Enforce the following composition and complexity rules: [Assignment: organization-defined composition and complexity rules].", + "Attributes": [ + { + "ItemId": "ia_5_1_h", + "Section": "Identification and Authentication (IA)", + "SubSection": "Authenticator Management (IA-5)", + "SubGroup": "IA-5(1) Password-Based Authentication", + "Service": "iam" + } + ], + "Checks": [ + "iam_password_policy_minimum_length_14" + ] + }, + { + "Id": "ia_5_8", + "Name": "IA-5(8) Multiple System Accounts", + "Description": "Implement [Assignment: organization-defined security controls] to manage the risk of compromise due to individuals having accounts on multiple systems.", + "Attributes": [ + { + "ItemId": "ia_5_8", + "Section": "Identification and Authentication (IA)", + "Service": "iam" + } + ], + "Checks": [ + "iam_no_root_access_key" + ] + }, + { + "Id": "ia_5_18_a", + "Name": "IA-5(18)(a)", + "Description": "Employ [Assignment: organization-defined password managers] to generate and manage passwords.", + "Attributes": [ + { + "ItemId": "ia_5_18_a", + "Section": "Identification and Authentication (IA)", + "SubSection": "Authenticator Management (IA-5)", + "SubGroup": "IA-5(18) Password Managers", + "Service": "iam" + } + ], + "Checks": [ + "iam_password_policy_minimum_length_14" + ] + }, + { + "Id": "ia_5_18_b", + "Name": "IA-5(18)(b)", + "Description": "Protect the passwords using [Assignment: organization-defined controls].", + "Attributes": [ + { + "ItemId": "ia_5_18_b", + "Section": "Identification and Authentication (IA)", + "SubSection": "Authenticator Management (IA-5)", + "SubGroup": "IA-5(18) Password Managers", + "Service": "iam" + } + ], + "Checks": [ + "iam_password_policy_minimum_length_14" + ] + }, + { + "Id": "ia_8_2_b", + "Name": "IA-8(2)(b)", + "Description": "Document and maintain a list of accepted external authenticators.", + "Attributes": [ + { + "ItemId": "ia_8_2_b", + "Section": "Identification and Authentication (IA)", + "SubSection": "Identification And Authentication (Non-Organizational Users) (IA-8)", + "SubGroup": "IA-8(2) Acceptance Of External Authenticators", + "Service": "iam" + } + ], + "Checks": [ + "iam_password_policy_minimum_length_14" + ] + }, + { + "Id": "ir_4_a", + "Name": "IR-4(a)", + "Description": "Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery.", + "Attributes": [ + { + "ItemId": "ir_4_a", + "Section": "Incident Response (IR)", + "SubSection": "Incident Handling (IR-4)", + "Service": "guarduty" + } + ], + "Checks": [ + "guardduty_no_high_severity_findings" + ] + }, + { + "Id": "ma_4_c", + "Name": "MA-4(c)", + "Description": "Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions.", + "Attributes": [ + { + "ItemId": "ma_4_c", + "Section": "Maintenance (MA)", + "SubSection": "Nonlocal Maintenance (MA-4)", + "Service": "iam" + } + ], + "Checks": [ + "iam_password_policy_minimum_length_14" + ] + }, + { + "Id": "ma_4_1_a", + "Name": "MA-4(1)(a)", + "Description": "Log [Assignment: organization-defined audit events] for nonlocal maintenance and diagnostic sessions.", + "Attributes": [ + { + "ItemId": "ma_4_1_a", + "Section": "Maintenance (MA)", + "SubSection": "Nonlocal Maintenance (MA-4)", + "SubGroup": "MA-4(1) Logging And Review", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "mp_2", + "Name": "Media Access (MP-2)", + "Description": "Restrict access to [Assignment: organization-defined types of digital and/or non-digital media] to [Assignment: organization-defined personnel or roles].", + "Attributes": [ + { + "ItemId": "mp_2", + "Section": "Media Protection (MP)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "ec2_instance_imdsv2_enabled", + "emr_cluster_master_nodes_no_public_ip", + "iam_policy_attached_only_to_group_or_roles", + "iam_policy_no_administrative_privileges", + "iam_no_root_access_key", + "iam_disable_90_days_credentials", + "awslambda_function_not_publicly_accessible", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "s3_bucket_public_access", + "sagemaker_notebook_instance_without_direct_internet_access_configured" + ] + }, + { + "Id": "pe_6_2", + "Name": "PE-6(2) Monitoring Physical Access", + "Description": "Recognize [Assignment: organization-defined classes or types of intrusions] and initiate [Assignment: organization-defined response actions] using [Assignment: organization-defined automated mechanisms].", + "Attributes": [ + { + "ItemId": "pe_6_2", + "Section": "Physical And Environmental Protection (PE)", + "SubSection": "Monitoring Physical Access (PE-6)", + "Service": "guarduty" + } + ], + "Checks": [ + "guardduty_is_enabled" + ] + }, + { + "Id": "pe_6_4", + "Name": "PE-6(4) Monitoring Physical Access", + "Description": "Monitor physical access to the system in addition to the physical access monitoring of the facility at [Assignment: organization-defined physical spaces containing one or more components of the system].", + "Attributes": [ + { + "ItemId": "pe_6_4", + "Section": "Physical And Environmental Protection (PE)", + "SubSection": "Monitoring Physical Access (PE-6)", + "Service": "guarduty" + } + ], + "Checks": [ + "guardduty_is_enabled" + ] + }, + { + "Id": "pm_11_b", + "Name": "PM-11(b)", + "Description": "Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes.", + "Attributes": [ + { + "ItemId": "pm_11_b", + "Section": "Program Management (PM)", + "SubSection": "Mission And Business Process Defination (PM-11)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_log_file_validation_enabled", + "s3_bucket_default_encryption", + "s3_bucket_secure_transport_policy", + "s3_bucket_object_versioning" + ] + }, + { + "Id": "pm_14_a_1", + "Name": "PM-14(a)(1)", + "Description": "a. Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems: 1. Are developed and maintained.", + "Attributes": [ + { + "ItemId": "pm_14_a_1", + "Section": "Program Management (PM)", + "SubSection": "Testing, Training, And Monitoring (PM-14)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured", + "cloudwatch_log_group_retention_policy_specific_days_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "guardduty_is_enabled", + "rds_instance_enhanced_monitoring_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "securityhub_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "pm_14_b", + "Name": "PM-14(b)", + "Description": "Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.", + "Attributes": [ + { + "ItemId": "pm_14_b", + "Section": "Program Management (PM)", + "SubSection": "Testing, Training, And Monitoring (PM-14)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured", + "cloudwatch_log_group_retention_policy_specific_days_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "guardduty_is_enabled", + "rds_instance_enhanced_monitoring_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "securityhub_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "pm_16", + "Name": "Threat Awareness Program (PM-16)", + "Description": "Implement a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence.", + "Attributes": [ + { + "ItemId": "pm_16", + "Section": "Program Management (PM)", + "Service": "guarduty" + } + ], + "Checks": [ + "guardduty_is_enabled" + ] + }, + { + "Id": "pm_17_b", + "Name": "PM-17(b)", + "Description": "Review and update the policy and procedures [Assignment: organization-defined frequency].", + "Attributes": [ + { + "ItemId": "pm_17_b", + "Section": "Program Management (PM)", + "SubSection": "Protecting Controlled Unclassified Information On External Systems (PM-17)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_client_certificate_enabled", + "cloudtrail_log_file_validation_enabled", + "elb_ssl_listeners", + "opensearch_service_domains_node_to_node_encryption_enabled", + "s3_bucket_secure_transport_policy", + "s3_bucket_object_versioning" + ] + }, + { + "Id": "pm_21_b", + "Name": "PM-21(b)", + "Description": "Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer.", + "Attributes": [ + { + "ItemId": "pm_21_b", + "Section": "Program Management (PM)", + "SubSection": "Accounting Of Disclosures (PM-21)", + "Service": "cloudwatch" + } + ], + "Checks": [ + "cloudwatch_log_group_retention_policy_specific_days_enabled" + ] + }, + { + "Id": "pm_31", + "Name": "Continuous Monitoring Strategy (PM-31)", + "Description": "Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: a. Establishing the following organization-wide metrics to be monitored: [Assignment: organization-defined metrics]; b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; c. Ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy; d. Correlation and analysis of information generated by control assessments and monitoring; e. Response actions to address results of the analysis of control assessment and monitoring information; and f. Reporting the security and privacy status of organizational systems to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency].", + "Attributes": [ + { + "ItemId": "pm_31", + "Section": "Program Management (PM)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured", + "cloudwatch_log_group_retention_policy_specific_days_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "guardduty_is_enabled", + "rds_instance_enhanced_monitoring_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "securityhub_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "ra_1_a", + "Name": "RA-1(a)", + "Description": "Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems; and 2. Detect, track, and disrupt threats that evade existing controls.", + "Attributes": [ + { + "ItemId": "ra_1_a", + "Section": "Risk Assessment (RA)", + "SubSection": "Policy And Procedures (RA-1)", + "Service": "guarduty" + } + ], + "Checks": [ + "guardduty_is_enabled" + ] + }, + { + "Id": "ra_1_a_1", + "Name": "RA-1(a)(1)", + "Description": "Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems.", + "Attributes": [ + { + "ItemId": "ra_1_a_1", + "Section": "Risk Assessment (RA)", + "SubSection": "Policy And Procedures (RA-1)", + "SubGroup": "RA-1(a)", + "Service": "guarduty" + } + ], + "Checks": [ + "guardduty_is_enabled" + ] + }, + { + "Id": "ra_1_a_2", + "Name": "RA-1(a)(2)", + "Description": "a. Establish and maintain a cyber threat hunting capability to: 2. Detect, track, and disrupt threats that evade existing controls.", + "Attributes": [ + { + "ItemId": "ra_1_a_2", + "Section": "Risk Assessment (RA)", + "SubSection": "Policy And Procedures (RA-1)", + "SubGroup": "RA-1(a)", + "Service": "guarduty" + } + ], + "Checks": [ + "guardduty_is_enabled" + ] + }, + { + "Id": "ra_3_4", + "Name": "RA-3(4) Predictive Cyber Analytics", + "Description": "Employ the following advanced automation and analytics capabilities to predict and identify risks to [Assignment: organization-defined systems or system components]: [Assignment: organization-defined advanced automation and analytics capabilities].", + "Attributes": [ + { + "ItemId": "ra_3_4", + "Section": "Risk Assessment (RA)", + "SubSection": "Risk Assessment (RA-3)", + "Service": "guarduty" + } + ], + "Checks": [ + "guardduty_is_enabled" + ] + }, + { + "Id": "ra_3_a_1", + "Name": "RA-3(a)(1)", + "Description": "a. Conduct a risk assessment, including: 1. Identifying threats to and vulnerabilities in the system.", + "Attributes": [ + { + "ItemId": "ra_3_a_1", + "Section": "Risk Assessment (RA)", + "SubSection": "Risk Assessment (RA-3)", + "Service": "guarduty" + } + ], + "Checks": [ + "guardduty_is_enabled", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "ra_5_a", + "Name": "RA-5(a)", + "Description": "Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported.", + "Attributes": [ + { + "ItemId": "ra_5_a", + "Section": "Risk Assessment (RA)", + "SubSection": "Vulnerability Monitoring And Scanning (RA-5)", + "Service": "guarduty" + } + ], + "Checks": [ + "guardduty_is_enabled" + ] + }, + { + "Id": "ra_5_4", + "Name": "RA-5(4) Discoverable Information", + "Description": "Determine information about the system that is discoverable and take [Assignment: organization-defined corrective actions].", + "Attributes": [ + { + "ItemId": "ra_5_4", + "Section": "Risk Assessment (RA)", + "SubSection": "Vulnerability Monitoring And Scanning (RA-5)", + "Service": "guarduty" + } + ], + "Checks": [ + "guardduty_is_enabled" + ] + }, + { + "Id": "ra_10_a", + "Name": "RA-10(a)", + "Description": "Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems; and 2. Detect, track, and disrupt threats that evade existings.", + "Attributes": [ + { + "ItemId": "ra_10_a", + "Section": "Risk Assessment (RA)", + "SubSection": "Threat Hunting (RA-10)", + "Service": "guarduty" + } + ], + "Checks": [ + "guardduty_is_enabled" + ] + }, + { + "Id": "ra_10_a_1", + "Name": "RA-10(a)(1)", + "Description": "Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems; and 2. Detect, track, and disrupt threats that evade existings.", + "Attributes": [ + { + "ItemId": "ra_10_a_1", + "Section": "Risk Assessment (RA)", + "SubSection": "Threat Hunting (RA-10)", + "SubGroup": "RA-10(a)", + "Service": "guarduty" + } + ], + "Checks": [ + "guardduty_is_enabled" + ] + }, + { + "Id": "ra_10_a_2", + "Name": "RA-10(a)(2)", + "Description": "a. Establish and maintain a cyber threat hunting capability to: 2. Detect, track, and disrupt threats that evade existings.", + "Attributes": [ + { + "ItemId": "ra_10_a_2", + "Section": "Risk Assessment (RA)", + "SubSection": "Threat Hunting (RA-10)", + "SubGroup": "RA-10(a)", + "Service": "guarduty" + } + ], + "Checks": [ + "guardduty_is_enabled" + ] + }, + { + "Id": "sa_1_1", + "Name": "SA-1(1)", + "Description": "Require the developer of the system, system component, or system service to enable integrity verification of software and firmware components.", + "Attributes": [ + { + "ItemId": "sa_1_1", + "Section": "System and Services Acquisition (SA)", + "SubSection": "Policy And Procedures (SA-1)", + "Service": "cloudtrail" + } + ], + "Checks": [ + "cloudtrail_log_file_validation_enabled" + ] + }, + { + "Id": "sa_9_6", + "Name": "SA-9(6) Organization-Controlled Cryptographic Keys", + "Description": "Maintain exclusive control of cryptographic keys for encrypted material stored or transmitted through an external system.", + "Attributes": [ + { + "ItemId": "sa_9_6", + "Section": "System and Services Acquisition (SA)", + "SubSection": "External System Services (SA-9)", + "Service": "kms" + } + ], + "Checks": [ + "kms_cmk_rotation_enabled" + ] + }, + { + "Id": "sa_10_1", + "Name": "SA-10(1) Software And Firmware Integrity Verification", + "Description": "Require the developer of the system, system component, or system service to enable integrity verification of software and firmware components.", + "Attributes": [ + { + "ItemId": "sa_10_1", + "Section": "System and Services Acquisition (SA)", + "SubSection": "Developer Configuration Management (SA-10)", + "Service": "kms" + } + ], + "Checks": [ + "cloudtrail_log_file_validation_enabled" + ] + }, + { + "Id": "sa_15_a_4", + "Name": "SA-15(a)(4)", + "Description": "a. Require the developer of the system, system component, or system service to follow a documented development process that: 4. Documents, manages, and ensures the integrity of changes to the process and/or tools used in development.", + "Attributes": [ + { + "ItemId": "sa_15_a_4", + "Section": "System and Services Acquisition (SA)", + "SubSection": "Development Process, Standards, And Tools (SA-15)", + "Service": "aws" + } + ], + "Checks": [ + "elbv2_deletion_protection", + "rds_instance_deletion_protection" + ] + }, + { + "Id": "sc_5_1", + "Name": "SC-5(1) Restrict Ability TO Attack Other Systems", + "Description": "Restrict the ability of individuals to launch the following denial-of-service attacks against other systems: [Assignment: organization-defined denial-of-service attacks].", + "Attributes": [ + { + "ItemId": "sc_5_1", + "Section": "System and Communications Protection (SC)", + "SubSection": "Denial Of Service Protection (SC-5)", + "Service": "guarduty" + } + ], + "Checks": [ + "guardduty_is_enabled" + ] + }, + { + "Id": "sc_5_2", + "Name": "SC-5(2) Capacity, Bandwidth, And Redundancy", + "Description": "Manage capacity, bandwidth, or other redundancy to limit the effects of information flooding denial-of-service attacks.", + "Attributes": [ + { + "ItemId": "sc_5_2", + "Section": "System and Communications Protection (SC)", + "SubSection": "Denial Of Service Protection (SC-5)", + "Service": "aws" + } + ], + "Checks": [ + "dynamodb_tables_pitr_enabled", + "efs_have_backup_enabled", + "elbv2_deletion_protection", + "rds_instance_backup_enabled", + "rds_instance_deletion_protection", + "rds_instance_multi_az", + "rds_instance_backup_enabled", + "redshift_cluster_automated_snapshot", + "redshift_cluster_automatic_upgrades", + "s3_bucket_object_versioning" + ] + }, + { + "Id": "sc_5_3_a", + "Name": "SC-5(3)(a)", + "Description": "Employ the following monitoring tools to detect indicators of denial-of-service attacks against, or launched from, the system: [Assignment: organization-defined monitoring tools].", + "Attributes": [ + { + "ItemId": "sc_5_3_a", + "Section": "System and Communications Protection (SC)", + "SubSection": "Denial Of Service Protection (SC-5)", + "SubGroup": "SC-5(3) Detection And Monitoring", + "Service": "guarduty" + } + ], + "Checks": [ + "guardduty_is_enabled" + ] + }, + { + "Id": "sc_5_3_b", + "Name": "SC-5(3)(b)", + "Description": "Monitor the following system resources to determine if sufficient resources exist to prevent effective denial-of-service attacks: [Assignment: organization-defined system resources].", + "Attributes": [ + { + "ItemId": "sc_5_3_b", + "Section": "System and Communications Protection (SC)", + "SubSection": "Denial Of Service Protection (SC-5)", + "SubGroup": "SC-5(3) Detection And Monitoring", + "Service": "guarduty" + } + ], + "Checks": [ + "guardduty_is_enabled" + ] + }, + { + "Id": "sc_5_a", + "Name": "SC-5(a)", + "Description": "[Selection: Protect against; Limit] the effects of the following types of denial-of-service events: [Assignment: organization-defined types of denial-of-service events].", + "Attributes": [ + { + "ItemId": "sc_5_a", + "Section": "System and Communications Protection (SC)", + "SubSection": "Denial Of Service Protection (SC-5)", + "Service": "guarduty" + } + ], + "Checks": [ + "guardduty_is_enabled" + ] + }, + { + "Id": "sc_5_b", + "Name": "SC-5(b)", + "Description": "Employ the following controls to achieve the denial-of-service objective: [Assignment: organization-defined controls by type of denial-of-service event].", + "Attributes": [ + { + "ItemId": "sc_5_b", + "Section": "System and Communications Protection (SC)", + "SubSection": "Denial Of Service Protection (SC-5)", + "Service": "guarduty" + } + ], + "Checks": [ + "guardduty_is_enabled" + ] + }, + { + "Id": "sc_6", + "Name": "Resource Availability (SC-6)", + "Description": "Protect the availability of resources by allocating [Assignment: organization-defined resources] by [Selection (one or more): priority; quota; [Assignment: organization-defined controls]].", + "Attributes": [ + { + "ItemId": "sc_6", + "Section": "System and Communications Protection (SC)", + "Service": "aws" + } + ], + "Checks": [ + "rds_instance_multi_az" + ] + }, + { + "Id": "sc_7_2", + "Name": "SC-7(2) Public Access", + "Description": "Provide the capability to dynamically isolate [Assignment: organization-defined system components] from other system components.", + "Attributes": [ + { + "ItemId": "sc_7_2", + "Section": "System and Communications Protection (SC)", + "SubSection": "Boundary Protection (SC-7)", + "Service": "guarduty" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "emr_cluster_master_nodes_no_public_ip", + "awslambda_function_not_publicly_accessible", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "s3_bucket_public_access", + "sagemaker_notebook_instance_without_direct_internet_access_configured" + ] + }, + { + "Id": "sc_7_3", + "Name": "SC-7(3) Access Points", + "Description": "Limit the number of external network connections to the system.", + "Attributes": [ + { + "ItemId": "sc_7_3", + "Section": "System and Communications Protection (SC)", + "SubSection": "Boundary Protection (SC-7)", + "Service": "guarduty" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "emr_cluster_master_nodes_no_public_ip", + "awslambda_function_not_publicly_accessible", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "s3_bucket_public_access", + "sagemaker_notebook_instance_without_direct_internet_access_configured" + ] + }, + { + "Id": "sc_7_4_b", + "Name": "SC-7(4)(b)", + "Description": "Establish a traffic flow policy for each managed interface.", + "Attributes": [ + { + "ItemId": "sc_7_4_b", + "Section": "System and Communications Protection (SC)", + "SubSection": "Boundary Protection (SC-7)", + "SubGroup": "SC-7(4) External Telecommunications Services", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_client_certificate_enabled", + "elb_ssl_listeners", + "opensearch_service_domains_node_to_node_encryption_enabled", + "s3_bucket_secure_transport_policy" + ] + }, + { + "Id": "sc_7_4_g", + "Name": "SC-7(4)(g)", + "Description": "Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks.", + "Attributes": [ + { + "ItemId": "sc_7_4_g", + "Section": "System and Communications Protection (SC)", + "SubSection": "Boundary Protection (SC-7)", + "SubGroup": "SC-7(4) External Telecommunications Services", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_client_certificate_enabled", + "elb_ssl_listeners", + "opensearch_service_domains_node_to_node_encryption_enabled", + "s3_bucket_secure_transport_policy" + ] + }, + { + "Id": "sc_7_5", + "Name": "SC-7(5) Deny By Default — Allow By Exception", + "Description": "Deny network communications traffic by default and allow network communications traffic by exception [Selection (one or more): at managed interfaces; for [Assignment: organization-defined systems]].", + "Attributes": [ + { + "ItemId": "sc_7_5", + "Section": "System and Communications Protection (SC)", + "SubSection": "Boundary Protection (SC-7)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_client_certificate_enabled", + "elb_ssl_listeners", + "s3_bucket_secure_transport_policy", + "ec2_securitygroup_default_restrict_traffic", + "ec2_networkacl_allow_ingress_any_port", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "sc_7_7", + "Name": "SC-7(7) Split Tunneling For Remote Devices", + "Description": "Prevent split tunneling for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using [Assignment: organization-defined safeguards].", + "Attributes": [ + { + "ItemId": "sc_7_7", + "Section": "System and Communications Protection (SC)", + "SubSection": "Boundary Protection (SC-7)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "emr_cluster_master_nodes_no_public_ip", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "s3_bucket_public_access", + "sagemaker_notebook_instance_without_direct_internet_access_configured", + "ec2_securitygroup_default_restrict_traffic", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "sc_7_9_a", + "Name": "SC-7(9)(a)", + "Description": "Detect and deny outgoing communications traffic posing a threat to external systems.", + "Attributes": [ + { + "ItemId": "sc_7_9_a", + "Section": "System and Communications Protection (SC)", + "SubSection": "Boundary Protection (SC-7)", + "SubGroup": "SC-7(9) Restrict Threatening Outgoing Communications Traffic", + "Service": "aws" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "emr_cluster_master_nodes_no_public_ip", + "awslambda_function_not_publicly_accessible", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "s3_bucket_public_access", + "sagemaker_notebook_instance_without_direct_internet_access_configured" + ] + }, + { + "Id": "sc_7_9_b", + "Name": "SC-7(9)(b)", + "Description": "Audit the identity of internal users associated with denied communications.", + "Attributes": [ + { + "ItemId": "sc_7_9_b", + "Section": "System and Communications Protection (SC)", + "SubSection": "Boundary Protection (SC-7)", + "SubGroup": "SC-7(9) Restrict Threatening Outgoing Communications Traffic", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled" + ] + }, + { + "Id": "sc_7_11", + "Name": "SC-7(11) Restrict Incoming communications Traffic", + "Description": "Only allow incoming communications from [Assignment: organization-defined authorized sources] to be routed to [Assignment: organization-defined authorized destinations].", + "Attributes": [ + { + "ItemId": "sc_7_11", + "Section": "System and Communications Protection (SC)", + "SubSection": "Boundary Protection (SC-7)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "emr_cluster_master_nodes_no_public_ip", + "awslambda_function_not_publicly_accessible", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "s3_bucket_public_access", + "sagemaker_notebook_instance_without_direct_internet_access_configured", + "ec2_securitygroup_default_restrict_traffic", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "sc_7_12", + "Name": "SC-7(12) Host-Based Protection", + "Description": "Implement [Assignment: organization-defined host-based boundary protection mechanisms] at [Assignment: organization-defined system components].", + "Attributes": [ + { + "ItemId": "sc_7_12", + "Section": "System and Communications Protection (SC)", + "SubSection": "Boundary Protection (SC-7)", + "Service": "aws" + } + ], + "Checks": [ + "acm_certificates_expiration_check", + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "emr_cluster_master_nodes_no_public_ip", + "awslambda_function_not_publicly_accessible", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "sagemaker_notebook_instance_without_direct_internet_access_configured", + "ec2_securitygroup_default_restrict_traffic", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "sc_7_16", + "Name": "SC-7(16) Prevent Discovery Of System Components", + "Description": "Prevent the discovery of specific system components that represent a managed interface.", + "Attributes": [ + { + "ItemId": "sc_7_16", + "Section": "System and Communications Protection (SC)", + "SubSection": "Boundary Protection (SC-7)", + "Service": "aws" + } + ], + "Checks": [ + "acm_certificates_expiration_check", + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "emr_cluster_master_nodes_no_public_ip", + "awslambda_function_not_publicly_accessible", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "sagemaker_notebook_instance_without_direct_internet_access_configured", + "ec2_securitygroup_default_restrict_traffic", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "sc_7_20", + "Name": "SC-7(20) Prevent Discovery Of System Components", + "Description": "Prevent the discovery of specific system components that represent a managed interface.", + "Attributes": [ + { + "ItemId": "sc_7_20", + "Section": "System and Communications Protection (SC)", + "SubSection": "Boundary Protection (SC-7)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "emr_cluster_master_nodes_no_public_ip", + "awslambda_function_not_publicly_accessible", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "s3_bucket_public_access", + "sagemaker_notebook_instance_without_direct_internet_access_configured" + ] + }, + { + "Id": "sc_7_21", + "Name": "SC-7(21) Isolation Of System Components", + "Description": "Employ boundary protection mechanisms to isolate [Assignment: organization-defined system components] supporting [Assignment: organization-defined missions and/or business functions].", + "Attributes": [ + { + "ItemId": "sc_7_21", + "Section": "System and Communications Protection (SC)", + "SubSection": "Boundary Protection (SC-7)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "emr_cluster_master_nodes_no_public_ip", + "awslambda_function_not_publicly_accessible", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "s3_bucket_public_access", + "sagemaker_notebook_instance_without_direct_internet_access_configured", + "ec2_securitygroup_default_restrict_traffic", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "sc_7_24_b", + "Name": "SC-7(24)(b)", + "Description": "For systems that process personally identifiable information: (b) Monitor for permitted processing at the external interfaces to the system and at key internal boundaries within the system.", + "Attributes": [ + { + "ItemId": "sc_7_24_b", + "Section": "System and Communications Protection (SC)", + "SubSection": "Boundary Protection (SC-7)", + "SubGroup": "SC-7(24) Personally Identifiable Information", + "Service": "aws" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "emr_cluster_master_nodes_no_public_ip", + "awslambda_function_not_publicly_accessible", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "s3_bucket_public_access", + "sagemaker_notebook_instance_without_direct_internet_access_configured", + "ec2_securitygroup_default_restrict_traffic", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "sc_7_25", + "Name": "SC-7(25) Unclassified National Security System Connections", + "Description": "Prohibit the direct connection of [Assignment: organization-defined unclassified national security system] to an external network without the use of [Assignment: organization-defined boundary protection device].", + "Attributes": [ + { + "ItemId": "sc_7_25", + "Section": "System and Communications Protection (SC)", + "SubSection": "Boundary Protection (SC-7)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "emr_cluster_master_nodes_no_public_ip", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "s3_bucket_public_access", + "sagemaker_notebook_instance_without_direct_internet_access_configured", + "ec2_securitygroup_default_restrict_traffic", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22" + ] + }, + { + "Id": "sc_7_26", + "Name": "SC-7(26) Classified National Security System Connections", + "Description": "Prohibit the direct connection of a classified national security system to an external network without the use of [Assignment: organization-defined boundary protection device].", + "Attributes": [ + { + "ItemId": "sc_7_26", + "Section": "System and Communications Protection (SC)", + "SubSection": "Boundary Protection (SC-7)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "emr_cluster_master_nodes_no_public_ip", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "s3_bucket_public_access", + "sagemaker_notebook_instance_without_direct_internet_access_configured", + "ec2_securitygroup_default_restrict_traffic", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22" + ] + }, + { + "Id": "sc_7_27", + "Name": "SC-7(27) Unclassified Non-National Security System Connections", + "Description": "Prohibit the direct connection of [Assignment: organization-defined unclassified non-national security system] to an external network without the use of [Assignment: organization-defined boundary protection device].", + "Attributes": [ + { + "ItemId": "sc_7_27", + "Section": "System and Communications Protection (SC)", + "SubSection": "Boundary Protection (SC-7)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "emr_cluster_master_nodes_no_public_ip", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "s3_bucket_public_access", + "sagemaker_notebook_instance_without_direct_internet_access_configured", + "ec2_securitygroup_default_restrict_traffic", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22" + ] + }, + { + "Id": "sc_7_28", + "Name": "SC-7(28) Connections To Public Networks", + "Description": "Prohibit the direct connection of [Assignment: organization-defined system] to a public network.", + "Attributes": [ + { + "ItemId": "sc_7_28", + "Section": "System and Communications Protection (SC)", + "SubSection": "Boundary Protection (SC-7)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "emr_cluster_master_nodes_no_public_ip", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "s3_bucket_public_access", + "sagemaker_notebook_instance_without_direct_internet_access_configured", + "ec2_securitygroup_default_restrict_traffic", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22" + ] + }, + { + "Id": "sc_7_a", + "Name": "SC-7(a)", + "Description": "Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system.", + "Attributes": [ + { + "ItemId": "sc_7_a", + "Section": "System and Communications Protection (SC)", + "SubSection": "Boundary Protection (SC-7)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "emr_cluster_master_nodes_no_public_ip", + "awslambda_function_not_publicly_accessible", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "s3_bucket_public_access", + "sagemaker_notebook_instance_without_direct_internet_access_configured", + "ec2_securitygroup_default_restrict_traffic", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "sc_7_b", + "Name": "SC-7(b)", + "Description": "Implement subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks.", + "Attributes": [ + { + "ItemId": "sc_7_b", + "Section": "System and Communications Protection (SC)", + "SubSection": "Boundary Protection (SC-7)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "emr_cluster_master_nodes_no_public_ip", + "awslambda_function_not_publicly_accessible", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "s3_bucket_public_access", + "sagemaker_notebook_instance_without_direct_internet_access_configured" + ] + }, + { + "Id": "sc_7_c", + "Name": "SC-7(c)", + "Description": "Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.", + "Attributes": [ + { + "ItemId": "sc_7_c", + "Section": "System and Communications Protection (SC)", + "SubSection": "Boundary Protection (SC-7)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "emr_cluster_master_nodes_no_public_ip", + "awslambda_function_not_publicly_accessible", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "s3_bucket_public_access", + "sagemaker_notebook_instance_without_direct_internet_access_configured", + "ec2_securitygroup_default_restrict_traffic", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "sc_8", + "Name": "Transmission Confidentiality And Integrity (SC-8)", + "Description": "Protect the [Selection (one or more): confidentiality; integrity] of transmitted information.", + "Attributes": [ + { + "ItemId": "sc_8", + "Section": "System and Communications Protection (SC)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_client_certificate_enabled", + "elb_ssl_listeners", + "opensearch_service_domains_node_to_node_encryption_enabled", + "s3_bucket_secure_transport_policy" + ] + }, + { + "Id": "sc_8_1", + "Name": "SC-8(1) Cryptographic Protection", + "Description": "Implement cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission.", + "Attributes": [ + { + "ItemId": "sc_8_1", + "Section": "System and Communications Protection (SC)", + "SubSection": "Transmission Confidentiality And Integrity (SC-8)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_client_certificate_enabled", + "elbv2_insecure_ssl_ciphers", + "elb_ssl_listeners", + "opensearch_service_domains_node_to_node_encryption_enabled", + "s3_bucket_secure_transport_policy" + ] + }, + { + "Id": "sc_8_2", + "Name": "SC-8(2) Pre- And Post-Transmission Handling", + "Description": "Maintain the [Selection (one or more): confidentiality; integrity] of information during preparation for transmission and during reception.", + "Attributes": [ + { + "ItemId": "sc_8_2", + "Section": "System and Communications Protection (SC)", + "SubSection": "Transmission Confidentiality And Integrity (SC-8)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_client_certificate_enabled", + "elb_ssl_listeners", + "opensearch_service_domains_node_to_node_encryption_enabled", + "s3_bucket_secure_transport_policy" + ] + }, + { + "Id": "sc_8_3", + "Name": "SC-8(3) Cryptographic Protection For Message Externals", + "Description": "Implement cryptographic mechanisms to protect message externals unless otherwise protected by [Assignment: organization-defined alternative physical controls].", + "Attributes": [ + { + "ItemId": "sc_8_3", + "Section": "System and Communications Protection (SC)", + "SubSection": "Transmission Confidentiality And Integrity (SC-8)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_client_certificate_enabled", + "cloudtrail_kms_encryption_enabled", + "dynamodb_tables_kms_cmk_encryption_enabled", + "ec2_ebs_volume_encryption", + "ec2_ebs_default_encryption", + "efs_encryption_at_rest_enabled", + "elb_ssl_listeners", + "opensearch_service_domains_encryption_at_rest_enabled", + "opensearch_service_domains_node_to_node_encryption_enabled", + "cloudwatch_log_group_kms_encryption_enabled", + "rds_instance_storage_encrypted", + "rds_instance_storage_encrypted", + "redshift_cluster_audit_logging", + "s3_bucket_default_encryption", + "s3_bucket_default_encryption", + "s3_bucket_secure_transport_policy", + "sagemaker_notebook_instance_encryption_enabled", + "sns_topics_kms_encryption_at_rest_enabled" + ] + }, + { + "Id": "sc_8_4", + "Name": "SC-8(4) Conceal Or Ramdomize Communications", + "Description": "Implement cryptographic mechanisms to conceal or randomize communication patterns unless otherwise protected by [Assignment: organization-defined alternative physical controls].", + "Attributes": [ + { + "ItemId": "sc_8_4", + "Section": "System and Communications Protection (SC)", + "SubSection": "Transmission Confidentiality And Integrity (SC-8)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_client_certificate_enabled", + "cloudtrail_kms_encryption_enabled", + "dynamodb_tables_kms_cmk_encryption_enabled", + "ec2_ebs_volume_encryption", + "ec2_ebs_default_encryption", + "efs_encryption_at_rest_enabled", + "elb_ssl_listeners", + "opensearch_service_domains_encryption_at_rest_enabled", + "opensearch_service_domains_node_to_node_encryption_enabled", + "cloudwatch_log_group_kms_encryption_enabled", + "rds_instance_storage_encrypted", + "rds_instance_storage_encrypted", + "redshift_cluster_audit_logging", + "s3_bucket_default_encryption", + "s3_bucket_default_encryption", + "s3_bucket_secure_transport_policy", + "sagemaker_notebook_instance_encryption_enabled", + "sns_topics_kms_encryption_at_rest_enabled" + ] + }, + { + "Id": "sc_8_5", + "Name": "SC-8(5) Protected Distribution System", + "Description": "Implement [Assignment: organization-defined protected distribution system] to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission.", + "Attributes": [ + { + "ItemId": "sc_8_5", + "Section": "System and Communications Protection (SC)", + "SubSection": "Transmission Confidentiality And Integrity (SC-8)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_client_certificate_enabled", + "elb_ssl_listeners", + "opensearch_service_domains_node_to_node_encryption_enabled", + "s3_bucket_secure_transport_policy" + ] + }, + { + "Id": "sc_12", + "Name": "Cryptographic Key Establishment And Management (SC-12)", + "Description": "Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].", + "Attributes": [ + { + "ItemId": "sc_12", + "Section": "System and Communications Protection (SC)", + "Service": "kms" + } + ], + "Checks": [ + "kms_cmk_rotation_enabled" + ] + }, + { + "Id": "sc_12_2", + "Name": "SC-12(2) Symmetric Keys", + "Description": "Produce, control, and distribute symmetric cryptographic keys using [Selection: NIST FIPS-validated; NSA-approved] key management technology and processes.", + "Attributes": [ + { + "ItemId": "sc_12_2", + "Section": "System and Communications Protection (SC)", + "SubSection": "Cryptographic Key Establishment And Management (SC-12)", + "Service": "kms" + } + ], + "Checks": [ + "kms_cmk_rotation_enabled" + ] + }, + { + "Id": "sc_12_6", + "Name": "SC-12(6) Physical Control Of Keys", + "Description": "Maintain physical control of cryptographic keys when stored information is encrypted by external service providers.", + "Attributes": [ + { + "ItemId": "sc_12_6", + "Section": "System and Communications Protection (SC)", + "SubSection": "Cryptographic Key Establishment And Management (SC-12)", + "Service": "kms" + } + ], + "Checks": [ + "kms_cmk_rotation_enabled" + ] + }, + { + "Id": "sc_13_a", + "Name": "SC-13(a)", + "Description": "Determine the [Assignment: organization-defined cryptographic uses].", + "Attributes": [ + { + "ItemId": "sc_13_a", + "Section": "System and Communications Protection (SC)", + "SubSection": "Cryptographic Protection (SC-13)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_client_certificate_enabled", + "cloudtrail_kms_encryption_enabled", + "dynamodb_tables_kms_cmk_encryption_enabled", + "ec2_ebs_volume_encryption", + "ec2_ebs_default_encryption", + "efs_encryption_at_rest_enabled", + "elb_ssl_listeners", + "opensearch_service_domains_encryption_at_rest_enabled", + "opensearch_service_domains_node_to_node_encryption_enabled", + "cloudwatch_log_group_kms_encryption_enabled", + "rds_instance_storage_encrypted", + "rds_instance_storage_encrypted", + "redshift_cluster_audit_logging", + "s3_bucket_default_encryption", + "s3_bucket_default_encryption", + "s3_bucket_secure_transport_policy", + "sagemaker_notebook_instance_encryption_enabled", + "sns_topics_kms_encryption_at_rest_enabled" + ] + }, + { + "Id": "sc_16_1", + "Name": "SC-16(1) Integrity Verification", + "Description": "Verify the integrity of transmitted security and privacy attributes.", + "Attributes": [ + { + "ItemId": "sc_16_1", + "Section": "System and Communications Protection (SC)", + "SubSection": "Transmission Of Security And Privacy Attributes (SC-16)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_log_file_validation_enabled", + "s3_bucket_default_encryption", + "s3_bucket_secure_transport_policy", + "s3_bucket_object_versioning" + ] + }, + { + "Id": "sc_22", + "Name": "Architecture And Provisioning For Name/Address Resolution Service (SC-22)", + "Description": "Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation.", + "Attributes": [ + { + "ItemId": "sc_22", + "Section": "System and Communications Protection (SC)", + "Service": "aws" + } + ], + "Checks": [ + "elbv2_deletion_protection", + "rds_instance_deletion_protection", + "rds_instance_multi_az" + ] + }, + { + "Id": "sc_23", + "Name": "Session Authenticity (SC-23)", + "Description": "Protect the authenticity of communications sessions.", + "Attributes": [ + { + "ItemId": "sc_23", + "Section": "System and Communications Protection (SC)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_client_certificate_enabled", + "elb_ssl_listeners", + "opensearch_service_domains_node_to_node_encryption_enabled", + "s3_bucket_secure_transport_policy" + ] + }, + { + "Id": "sc_23_3", + "Name": "SC-23(3) Unique System-Generated Session Identifiers", + "Description": "Generate a unique session identifier for each session with [Assignment: organization-defined randomness requirements] and recognize only session identifiers that are system-generated.", + "Attributes": [ + { + "ItemId": "sc_23_3", + "Section": "System and Communications Protection (SC)", + "SubSection": "Session Authenticity (SC-23)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_imdsv2_enabled", + "iam_password_policy_minimum_length_14", + "iam_policy_attached_only_to_group_or_roles", + "iam_policy_no_administrative_privileges", + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_no_root_access_key", + "iam_rotate_access_key_90_days", + "iam_user_mfa_enabled_console_access", + "iam_user_mfa_enabled_console_access", + "iam_disable_90_days_credentials", + "secretsmanager_automatic_rotation_enabled" + ] + }, + { + "Id": "sc_23_5", + "Name": "SC-23(5) Allowed Certificate Authorities", + "Description": "Only allow the use of [Assignment: organization-defined certificate authorities] for verification of the establishment of protected sessions.", + "Attributes": [ + { + "ItemId": "sc_23_5", + "Section": "System and Communications Protection (SC)", + "SubSection": "Session Authenticity (SC-23)", + "Service": "elb" + } + ], + "Checks": [ + "elbv2_insecure_ssl_ciphers", + "elb_ssl_listeners" + ] + }, + { + "Id": "sc_25", + "Name": "Thin Nodes (SC-25)", + "Description": "Employ minimal functionality and information storage on the following system components: [Assignment: organization-defined system components].", + "Attributes": [ + { + "ItemId": "sc_25", + "Section": "System and Communications Protection (SC)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "emr_cluster_master_nodes_no_public_ip", + "iam_policy_no_administrative_privileges", + "iam_no_root_access_key", + "awslambda_function_not_publicly_accessible", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "s3_bucket_public_access", + "sagemaker_notebook_instance_without_direct_internet_access_configured" + ] + }, + { + "Id": "sc_28_1", + "Name": "SC-28(1) Cryptographic Protection", + "Description": "Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on [Assignment: organization-defined system components or media]: [Assignment: organization-defined information].", + "Attributes": [ + { + "ItemId": "sc_28_1", + "Section": "System and Communications Protection (SC)", + "SubSection": "Protection Of Information At Rest (SC-28)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_kms_encryption_enabled", + "dynamodb_tables_kms_cmk_encryption_enabled", + "ec2_ebs_volume_encryption", + "ec2_ebs_default_encryption", + "efs_encryption_at_rest_enabled", + "opensearch_service_domains_encryption_at_rest_enabled", + "cloudwatch_log_group_kms_encryption_enabled", + "rds_instance_storage_encrypted", + "rds_instance_storage_encrypted", + "redshift_cluster_audit_logging", + "s3_bucket_default_encryption", + "s3_bucket_default_encryption", + "sagemaker_notebook_instance_encryption_enabled", + "sns_topics_kms_encryption_at_rest_enabled" + ] + }, + { + "Id": "sc_28_2", + "Name": "SC-28(2) Offline Storage", + "Description": "Remove the following information from online storage and store offline in a secure location: [Assignment: organization-defined information].", + "Attributes": [ + { + "ItemId": "sc_28_2", + "Section": "System and Communications Protection (SC)", + "SubSection": "Protection Of Information At Rest (SC-28)", + "Service": "cloudwatch" + } + ], + "Checks": [ + "cloudwatch_log_group_retention_policy_specific_days_enabled" + ] + }, + { + "Id": "sc_36", + "Name": "Distributed Processing And Storage (SC-36)", + "Description": "Distribute the following processing and storage components across multiple [Selection: physical locations; logical domains]: [Assignment: organization-defined processing and storage components].", + "Attributes": [ + { + "ItemId": "sc_36", + "Section": "System and Communications Protection (SC)", + "Service": "aws" + } + ], + "Checks": [ + "rds_instance_multi_az" + ] + }, + { + "Id": "sc_36_1_a", + "Name": "SC-36(1)(a)", + "Description": "Employ polling techniques to identify potential faults, errors, or compromises to the following processing and storage components: [Assignment: organization-defined distributed processing and storage components].", + "Attributes": [ + { + "ItemId": "sc_36_1_a", + "Section": "System and Communications Protection (SC)", + "SubSection": "Distributed Processing And Storage (SC-36)", + "Service": "aws" + } + ], + "Checks": [ + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured", + "rds_instance_enhanced_monitoring_enabled" + ] + }, + { + "Id": "sc_43_b", + "Name": "SC-43(b)", + "Description": "Authorize, monitor, and control the use of such components within the system.", + "Attributes": [ + { + "ItemId": "sc_43_b", + "Section": "System and Communications Protection (SC)", + "SubSection": "Usage Restrictions (SC-43)", + "Service": "guarduty" + } + ], + "Checks": [ + "guardduty_is_enabled" + ] + }, + { + "Id": "si_1_a_2", + "Name": "SI-1(a)(2)", + "Description": "a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 2. Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls;.", + "Attributes": [ + { + "ItemId": "si_1_a_2", + "Section": "System and Information integrity (SI)", + "SubSection": "Policy And Procedures (SI-1)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_client_certificate_enabled", + "cloudtrail_log_file_validation_enabled", + "elb_ssl_listeners", + "opensearch_service_domains_node_to_node_encryption_enabled", + "s3_bucket_secure_transport_policy", + "s3_bucket_object_versioning" + ] + }, + { + "Id": "si_1_1_c", + "Name": "SI-1(1)(c)", + "Description": "Audit the use of the manual override capability.", + "Attributes": [ + { + "ItemId": "si_1_1_c", + "Section": "System and Information integrity (SI)", + "SubSection": "Policy And Procedures (SI-1)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled" + ] + }, + { + "Id": "si_2_5", + "Name": "SI-2(5) Automatic Software And Firmware Updated", + "Description": "Install [Assignment: organization-defined security-relevant software and firmware updates] automatically to [Assignment: organization-defined system components].", + "Attributes": [ + { + "ItemId": "si_2_5", + "Section": "System and Information integrity (SI)", + "SubSection": "Flaw Remediation (SI-2)", + "Service": "aws" + } + ], + "Checks": [ + "redshift_cluster_automatic_upgrades", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "si_2_2", + "Name": "SI-2(2) Automated Flaw Remediation Status", + "Description": "Determine if system components have applicable security-relevant software and firmware updates installed using [Assignment: organization-defined automated mechanisms] [Assignment: organization-defined frequency].", + "Attributes": [ + { + "ItemId": "si_2_2", + "Section": "System and Information integrity (SI)", + "SubSection": "Flaw Remediation (SI-2)", + "Service": "aws" + } + ], + "Checks": [ + "redshift_cluster_automatic_upgrades", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "si_2_a", + "Name": "SI-2(a)", + "Description": "Identify, report, and correct system flaws.", + "Attributes": [ + { + "ItemId": "si_2_a", + "Section": "System and Information integrity (SI)", + "SubSection": "Flaw Remediation (SI-2)", + "Service": "aws" + } + ], + "Checks": [ + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured", + "rds_instance_enhanced_monitoring_enabled" + ] + }, + { + "Id": "si_2_c", + "Name": "SI-2(c)", + "Description": "Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates.", + "Attributes": [ + { + "ItemId": "si_2_c", + "Section": "System and Information integrity (SI)", + "SubSection": "Flaw Remediation (SI-2)", + "Service": "aws" + } + ], + "Checks": [ + "redshift_cluster_automatic_upgrades", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "si_2_d", + "Name": "SI-2(d)", + "Description": "Incorporate flaw remediation into the organizational configuration management process.", + "Attributes": [ + { + "ItemId": "si_2_d", + "Section": "System and Information integrity (SI)", + "SubSection": "Flaw Remediation (SI-2)", + "Service": "aws" + } + ], + "Checks": [ + "redshift_cluster_automatic_upgrades", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "si_3_c_2", + "Name": "SI-3(c)(2)", + "Description": "c. Configure malicious code protection mechanisms to: 2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization-defined personnel or roles] in response to malicious code detection.", + "Attributes": [ + { + "ItemId": "si_3_c_2", + "Section": "System and Information integrity (SI)", + "SubSection": "Malicious Code Protection (SI-3)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_managed_by_ssm", + "ssm_managed_compliant_patching", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "si_3_8_a", + "Name": "SI-3(8)(a)", + "Description": "Detect the following unauthorized operating system commands through the kernel application programming interface on [Assignment: organization-defined system hardware components]: [Assignment: organization-defined unauthorized operating system commands].", + "Attributes": [ + { + "ItemId": "si_3_8_a", + "Section": "System and Information integrity (SI)", + "SubSection": "Malicious Code Protection (SI-3)", + "SubGroup": "SI-3(8) Detect Unauthorized Commands", + "Service": "aws" + } + ], + "Checks": [ + "guardduty_is_enabled" + ] + }, + { + "Id": "si_3_8_b", + "Name": "SI-3(8)(b)", + "Description": "[Selection (one or more): issue a warning; audit the command execution; prevent the execution of the command].", + "Attributes": [ + { + "ItemId": "si_3_8_b", + "Section": "System and Information integrity (SI)", + "SubSection": "Malicious Code Protection (SI-3)", + "SubGroup": "SI-3(8) Detect Unauthorized Commands", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled" + ] + }, + { + "Id": "si_4_a", + "Name": "SI-4(a)", + "Description": "Monitor the system to detect: 1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections.", + "Attributes": [ + { + "ItemId": "si_4_a", + "Section": "System and Information integrity (SI)", + "SubSection": "System Monitoring (SI-4)", + "Service": "guarduty" + } + ], + "Checks": [ + "guardduty_is_enabled" + ] + }, + { + "Id": "si_4_a_1", + "Name": "SI-4(a)(1)", + "Description": "a. Monitor the system to detect: 1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections.", + "Attributes": [ + { + "ItemId": "si_4_a_1", + "Section": "System and Information integrity (SI)", + "SubSection": "System Monitoring (SI-4)", + "SubGroup": "SI-4(a)", + "Service": "guarduty" + } + ], + "Checks": [ + "guardduty_is_enabled" + ] + }, + { + "Id": "si_4_a_2", + "Name": "SI-4(a)(2)", + "Description": "a. Monitor the system to detect: 2. Unauthorized local, network, and remote connections.", + "Attributes": [ + { + "ItemId": "si_4_a_2", + "Section": "System and Information integrity (SI)", + "SubSection": "System Monitoring (SI-4)", + "SubGroup": "SI-4(a)", + "Service": "guarduty" + } + ], + "Checks": [ + "guardduty_is_enabled" + ] + }, + { + "Id": "si_4_b", + "Name": "SI-4(b)", + "Description": "Identify unauthorized use of the system through the following techniques and methods: [Assignment: organization-defined techniques and methods].", + "Attributes": [ + { + "ItemId": "si_4_b", + "Section": "System and Information integrity (SI)", + "SubSection": "System Monitoring (SI-4)", + "Service": "guarduty" + } + ], + "Checks": [ + "guardduty_is_enabled" + ] + }, + { + "Id": "si_4_c", + "Name": "SI-4(c)", + "Description": "c. Invoke internal monitoring capabilities or deploy monitoring devices: 1. Strategically within the system to collect organization-determined essential information; and 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization.", + "Attributes": [ + { + "ItemId": "si_4_c", + "Section": "System and Information integrity (SI)", + "SubSection": "System Monitoring (SI-4)", + "Service": "guarduty" + } + ], + "Checks": [ + "guardduty_is_enabled" + ] + }, + { + "Id": "si_4_d", + "Name": "SI-4(d)", + "Description": "Analyze detected events and anomalies.", + "Attributes": [ + { + "ItemId": "si_4_d", + "Section": "System and Information integrity (SI)", + "SubSection": "System Monitoring (SI-4)", + "Service": "cloudtrail" + } + ], + "Checks": [ + "cloudtrail_log_file_validation_enabled" + ] + }, + { + "Id": "si_4_1", + "Name": "SI-4(1) System-Wide Intrusion Detection System", + "Description": "Connect and configure individual intrusion detection tools into a system-wide intrusion detection system.", + "Attributes": [ + { + "ItemId": "si_4_1", + "Section": "System and Information integrity (SI)", + "SubSection": "System Monitoring (SI-4)", + "Service": "guarduty" + } + ], + "Checks": [ + "guardduty_is_enabled" + ] + }, + { + "Id": "si_4_2", + "Name": "SI-4(2) Automated Tools For Real-Time Analysis", + "Description": "Implement the following additional monitoring of privileged users: [Assignment: organization-defined additional monitoring]. Employ automated tools and mechanisms to support near real-time analysis of events.", + "Attributes": [ + { + "ItemId": "si_4_2", + "Section": "System and Information integrity (SI)", + "SubSection": "System Monitoring (SI-4)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "guardduty_is_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled" + ] + }, + { + "Id": "si_4_3", + "Name": "SI-4(3) Automated Tools And Mechanism Integration", + "Description": "Employ automated tools and mechanisms to integrate intrusion detection tools and mechanisms into access control and flow control mechanisms.", + "Attributes": [ + { + "ItemId": "si_4_3", + "Section": "System and Information integrity (SI)", + "SubSection": "System Monitoring (SI-4)", + "Service": "guarduty" + } + ], + "Checks": [ + "guardduty_is_enabled" + ] + }, + { + "Id": "si_4_4_a", + "Name": "SI-4(4)(a)", + "Description": "Determine criteria for unusual or unauthorized activities or conditions for inbound and outbound communications traffic.", + "Attributes": [ + { + "ItemId": "si_4_4_a", + "Section": "System and Information integrity (SI)", + "SubSection": "System Monitoring (SI-4)", + "SubGroup": "SI-4(4) Inbound and Outbound Communications Traffic", + "Service": "guarduty" + } + ], + "Checks": [ + "guardduty_is_enabled" + ] + }, + { + "Id": "si_4_4_b", + "Name": "SI-4(4)(b)", + "Description": "Monitor inbound and outbound communications traffic [Assignment: organization-defined frequency] for [Assignment: organization-defined unusual or unauthorized activities or conditions].", + "Attributes": [ + { + "ItemId": "si_4_4_b", + "Section": "System and Information integrity (SI)", + "SubSection": "System Monitoring (SI-4)", + "SubGroup": "SI-4(4) Inbound and Outbound Communications Traffic", + "Service": "guarduty" + } + ], + "Checks": [ + "guardduty_is_enabled" + ] + }, + { + "Id": "si_4_10", + "Name": "SI-4(10) Visibility Of Encrypted Communications", + "Description": "Make provisions so that [Assignment: organization-defined encrypted communications traffic] is visible to [Assignment: organization-defined system monitoring tools and mechanisms].", + "Attributes": [ + { + "ItemId": "si_4_10", + "Section": "System and Information integrity (SI)", + "SubSection": "System Monitoring (SI-4)", + "Service": "guarduty" + } + ], + "Checks": [ + "guardduty_is_enabled" + ] + }, + { + "Id": "si_4_12", + "Name": "SI-4(12) Automated Organization-Generated Alerts", + "Description": "Alert [Assignment: organization-defined personnel or roles] using [Assignment: organization-defined automated mechanisms] when the following indications of inappropriate or unusual activities with security or privacy implications occur: [Assignment: organization-defined activities that trigger alerts].", + "Attributes": [ + { + "ItemId": "si_4_12", + "Section": "System and Information integrity (SI)", + "SubSection": "System Monitoring (SI-4)", + "Service": "cloudwatch" + } + ], + "Checks": [ + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured" + ] + }, + { + "Id": "si_4_13_a", + "Name": "SI-4(13)(a)", + "Description": "Analyze communications traffic and event patterns for the system.", + "Attributes": [ + { + "ItemId": "si_4_13_a", + "Section": "System and Information integrity (SI)", + "SubSection": "System Monitoring (SI-4)", + "SubGroup": "SI-4(13) Analyze Traffic And Event Patterns", + "Service": "guarduty" + } + ], + "Checks": [ + "guardduty_is_enabled" + ] + }, + { + "Id": "si_4_14", + "Name": "SI-4(14) Wireless Intrusion Detection", + "Description": "Employ a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises or breaches to the system.", + "Attributes": [ + { + "ItemId": "si_4_14", + "Section": "System and Information integrity (SI)", + "SubSection": "System Monitoring (SI-4)", + "Service": "guarduty" + } + ], + "Checks": [ + "guardduty_is_enabled" + ] + }, + { + "Id": "si_4_17", + "Name": "SI-4(17) Integrated Situational Awareness", + "Description": "Correlate information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness.", + "Attributes": [ + { + "ItemId": "si_4_17", + "Section": "System and Information integrity (SI)", + "SubSection": "System Monitoring (SI-4)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "cloudwatch_log_group_retention_policy_specific_days_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "si_4_20", + "Name": "SI-4(20) Privileged Users", + "Description": "Implement the following additional monitoring of privileged users: [Assignment: organization-defined additional monitoring].", + "Attributes": [ + { + "ItemId": "si_4_20", + "Section": "System and Information integrity (SI)", + "SubSection": "System Monitoring (SI-4)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled" + ] + }, + { + "Id": "si_4_23", + "Name": "SI-4(23) Host-Based Devices", + "Description": "Implement the following host-based monitoring mechanisms at [Assignment: organization-defined system components]: [Assignment: organization-defined host-based monitoring mechanisms].", + "Attributes": [ + { + "ItemId": "si_4_23", + "Section": "System and Information integrity (SI)", + "SubSection": "System Monitoring (SI-4)", + "Service": "guarduty" + } + ], + "Checks": [ + "guardduty_is_enabled" + ] + }, + { + "Id": "si_4_25", + "Name": "SI-4(25) Optimize Network Traffic Analysis", + "Description": "Provide visibility into network traffic at external and key internal system interfaces to optimize the effectiveness of monitoring devices.", + "Attributes": [ + { + "ItemId": "si_4_25", + "Section": "System and Information integrity (SI)", + "SubSection": "System Monitoring (SI-4)", + "Service": "aws" + } + ], + "Checks": [ + "guardduty_is_enabled" + ] + }, + { + "Id": "si_5_1", + "Name": "SI-5(1) Automated Alerts And Advisories", + "Description": "Broadcast security alert and advisory information throughout the organization using [Assignment: organization-defined automated mechanisms].", + "Attributes": [ + { + "ItemId": "si_5_1", + "Section": "System and Information integrity (SI)", + "SubSection": "Secuity Alerts, Advisories, And Directives (SI-5)", + "Service": "aws" + } + ], + "Checks": [ + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured", + "guardduty_is_enabled" + ] + }, + { + "Id": "si_5_b", + "Name": "SI-5(b)", + "Description": "Generate internal security alerts, advisories, and directives as deemed necessary.", + "Attributes": [ + { + "ItemId": "si_5_b", + "Section": "System and Information integrity (SI)", + "SubSection": "Secuity Alerts, Advisories, And Directives (SI-5)", + "Service": "aws" + } + ], + "Checks": [ + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured", + "guardduty_is_enabled" + ] + }, + { + "Id": "si_7_1", + "Name": "SI-7(1) Integrity Checks", + "Description": "Perform an integrity check of [Assignment: organization-defined software, firmware, and information] [Selection (one or more): at startup; at [Assignment: organization-defined transitional states or security-relevant events]; [Assignment: organization-defined frequency]].", + "Attributes": [ + { + "ItemId": "si_7_1", + "Section": "System and Information integrity (SI)", + "SubSection": "Software, Firmware, and Information Integrity (SI-7)", + "Service": "cloudtrail" + } + ], + "Checks": [ + "cloudtrail_log_file_validation_enabled" + ] + }, + { + "Id": "si_7_3", + "Name": "SI-7(3) Centrally Managed Integrity Tools", + "Description": "Employ centrally managed integrity verification tools.", + "Attributes": [ + { + "ItemId": "si_7_3", + "Section": "System and Information integrity (SI)", + "SubSection": "Software, Firmware, and Information Integrity (SI-7)", + "Service": "cloudtrail" + } + ], + "Checks": [ + "cloudtrail_log_file_validation_enabled" + ] + }, + { + "Id": "si_7_7", + "Name": "SI-7(7) Integration Of Detection And Response", + "Description": "Incorporate the detection of the following unauthorized changes into the organizational incident response capability: [Assignment: organization-defined security-relevant changes to the system].", + "Attributes": [ + { + "ItemId": "si_7_7", + "Section": "System and Information integrity (SI)", + "SubSection": "Software, Firmware, and Information Integrity (SI-7)", + "Service": "cloudtrail" + } + ], + "Checks": [ + "cloudtrail_log_file_validation_enabled" + ] + }, + { + "Id": "si_7_8", + "Name": "SI-7(8) Auditing Capability For Significant Events", + "Description": "Upon detection of a potential integrity violation, provide the capability to audit the event and initiate the following actions: [Selection (one or more): generate an audit record; alert current user; alert [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined other actions]].", + "Attributes": [ + { + "ItemId": "si_7_8", + "Section": "System and Information integrity (SI)", + "SubSection": "Software, Firmware, and Information Integrity (SI-7)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "apigateway_logging_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "si_7_a", + "Name": "SI-7(a)", + "Description": "Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: [Assignment: organization-defined software, firmware, and information].", + "Attributes": [ + { + "ItemId": "si_7_a", + "Section": "System and Information integrity (SI)", + "SubSection": "Software, Firmware, and Information Integrity (SI-7)", + "Service": "cloudtrail" + } + ], + "Checks": [ + "cloudtrail_log_file_validation_enabled" + ] + }, + { + "Id": "si_10_1_c", + "Name": "SI-10(1)(c)", + "Description": "Audit the use of the manual override capability.", + "Attributes": [ + { + "ItemId": "si_10_1_c", + "Section": "System and Information integrity (SI)", + "SubSection": "Information Input Validation (SI-10)", + "SubGroup": "SI-10(1) Manual Override Capability", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled" + ] + }, + { + "Id": "si_12", + "Name": "Information Management and Retention (SI-12)", + "Description": "Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements.", + "Attributes": [ + { + "ItemId": "si_12", + "Section": "System and Information integrity (SI)", + "Service": "cloudwatch" + } + ], + "Checks": [ + "cloudwatch_log_group_retention_policy_specific_days_enabled" + ] + }, + { + "Id": "si_13_5", + "Name": "SI-13(5) Failover Capability", + "Description": "Provide [Selection: real-time; near real-time] [Assignment: organization-defined failover capability] for the system.", + "Attributes": [ + { + "ItemId": "si_13_5", + "Section": "System and Information integrity (SI)", + "SubSection": "Predictable Failure Prevention (SI-13)", + "Service": "aws" + } + ], + "Checks": [ + "dynamodb_tables_pitr_enabled", + "efs_have_backup_enabled", + "rds_instance_backup_enabled", + "rds_instance_deletion_protection", + "rds_instance_multi_az", + "rds_instance_backup_enabled", + "redshift_cluster_automated_snapshot", + "s3_bucket_object_versioning" + ] + }, + { + "Id": "si_19_4", + "Name": "SI-19(4) Removal, Masking, Encryption, Hashing, Or Replacement Of Direct Identifiers", + "Description": "Remove, mask, encrypt, hash, or replace direct identifiers in a dataset.", + "Attributes": [ + { + "ItemId": "si_19_4", + "Section": "System and Information integrity (SI)", + "SubSection": "De-Identification (SI-19)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_kms_encryption_enabled", + "dynamodb_tables_kms_cmk_encryption_enabled", + "ec2_ebs_volume_encryption", + "ec2_ebs_default_encryption", + "efs_encryption_at_rest_enabled", + "opensearch_service_domains_encryption_at_rest_enabled", + "cloudwatch_log_group_kms_encryption_enabled", + "rds_instance_storage_encrypted", + "rds_instance_storage_encrypted", + "redshift_cluster_audit_logging", + "s3_bucket_default_encryption", + "s3_bucket_default_encryption", + "sagemaker_notebook_instance_encryption_enabled" + ] + } + ] +} diff --git a/prowler/compliance/aws/nist_csf_1.1_aws.json b/prowler/compliance/aws/nist_csf_1.1_aws.json new file mode 100644 index 00000000..fcfe93fa --- /dev/null +++ b/prowler/compliance/aws/nist_csf_1.1_aws.json @@ -0,0 +1,1214 @@ +{ + "Framework": "NIST-CSF", + "Version": "1.1", + "Provider": "AWS", + "Description": "The NIST Cybersecurity Framework (CSF) is supported by governments and industries worldwide as a recommended baseline for use by any organization, regardless of sector or size. The NIST Cybersecurity Framework consists of three primary components: the framework core, the profiles, and the implementation tiers. The framework core contains desired cybersecurity activities and outcomes organized into 23 categories that cover the breadth of cybersecurity objectives for an organization. The profiles contain an organization's unique alignment of their organizational requirements and objectives, risk appetite, and resources using the desired outcomes of the framework core. The implementation tiers describe the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the framework core.", + "Requirements": [ + { + "Id": "ae_1", + "Name": "DE.AE-1", + "Description": "A baseline of network operations and expected data flows for users and systems is established and managed.", + "Attributes": [ + { + "ItemId": "ae_1", + "Section": "Detect (DE)", + "SubSection": "Anomalies and Events (DE.AE)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "ec2_securitygroup_default_restrict_traffic", + "vpc_flow_logs_enabled", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "ae_2", + "Name": "DE.AE-2", + "Description": "Detected events are analyzed to understand attack targets and methods.", + "Attributes": [ + { + "ItemId": "ae_2", + "Section": "Detect (DE)", + "SubSection": "Anomalies and Events (DE.AE)", + "Service": "aws" + } + ], + "Checks": [ + "guardduty_is_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "ae_3", + "Name": "DE.AE-3", + "Description": "Event data are collected and correlated from multiple sources and sensors.", + "Attributes": [ + { + "ItemId": "ae_3", + "Section": "Detect (DE)", + "SubSection": "Anomalies and Events (DE.AE)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "ae_4", + "Name": "DE.AE-4", + "Description": "Impact of events is determined.", + "Attributes": [ + { + "ItemId": "ae_4", + "Section": "Detect (DE)", + "SubSection": "Anomalies and Events (DE.AE)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "guardduty_is_enabled", + "guardduty_no_high_severity_findings", + "s3_bucket_server_access_logging_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "ae_5", + "Name": "DE.AE-5", + "Description": "Incident alert thresholds are established.", + "Attributes": [ + { + "ItemId": "ae_5", + "Section": "Detect (DE)", + "SubSection": "Anomalies and Events (DE.AE)", + "Service": "aws" + } + ], + "Checks": [ + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured" + ] + }, + { + "Id": "cm_1", + "Name": "DE.CM-1", + "Description": "The network is monitored to detect potential cybersecurity events.", + "Attributes": [ + { + "ItemId": "cm_1", + "Section": "Detect (DE)", + "SubSection": "Security Continuous Monitoring (DE.CM)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "guardduty_is_enabled", + "s3_bucket_server_access_logging_enabled", + "securityhub_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "cm_2", + "Name": "DE.CM-2", + "Description": "The physical environment is monitored to detect potential cybersecurity events.", + "Attributes": [ + { + "ItemId": "cm_2", + "Section": "Detect (DE)", + "SubSection": "Security Continuous Monitoring (DE.CM)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_cloudwatch_logging_enabled", + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured", + "config_recorder_all_regions_enabled", + "ec2_instance_imdsv2_enabled", + "guardduty_is_enabled", + "cloudwatch_log_metric_filter_for_s3_bucket_policy_changes", + "cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled", + "cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled", + "cloudwatch_log_metric_filter_authentication_failures", + "cloudwatch_log_metric_filter_sign_in_without_mfa", + "cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk", + "cloudwatch_log_metric_filter_policy_changes", + "cloudwatch_log_metric_filter_root_usage", + "cloudwatch_log_metric_filter_security_group_changes", + "cloudwatch_log_metric_filter_unauthorized_api_calls", + "rds_instance_enhanced_monitoring_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "cm_3", + "Name": "DE.CM-3", + "Description": "Personnel activity is monitored to detect potential cybersecurity events.", + "Attributes": [ + { + "ItemId": "cm_3", + "Section": "Detect (DE)", + "SubSection": "Security Continuous Monitoring (DE.CM)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "guardduty_is_enabled", + "s3_bucket_server_access_logging_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "cm_4", + "Name": "DE.CM-4", + "Description": "Malicious code is detected.", + "Attributes": [ + { + "ItemId": "cm_4", + "Section": "Detect (DE)", + "SubSection": "Security Continuous Monitoring (DE.CM)", + "Service": "aws" + } + ], + "Checks": [ + "guardduty_is_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "cm_5", + "Name": "DE.CM-5", + "Description": "Unauthorized mobile code is detected.", + "Attributes": [ + { + "ItemId": "cm_5", + "Section": "Detect (DE)", + "SubSection": "Security Continuous Monitoring (DE.CM)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_cloudwatch_logging_enabled", + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured", + "ec2_instance_imdsv2_enabled", + "elbv2_waf_acl_attached", + "guardduty_is_enabled", + "guardduty_no_high_severity_findings", + "securityhub_enabled" + ] + }, + { + "Id": "cm_6", + "Name": "DE.CM-6", + "Description": "External service provider activity is monitored to detect potential cybersecurity events.", + "Attributes": [ + { + "ItemId": "cm_6", + "Section": "Detect (DE)", + "SubSection": "Security Continuous Monitoring (DE.CM)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "guardduty_is_enabled", + "s3_bucket_server_access_logging_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "cm_7", + "Name": "DE.CM-7", + "Description": "Monitoring for unauthorized personnel, connections, devices, and software is performed.", + "Attributes": [ + { + "ItemId": "cm_7", + "Section": "Detect (DE)", + "SubSection": "Security Continuous Monitoring (DE.CM)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "guardduty_is_enabled", + "s3_bucket_server_access_logging_enabled", + "securityhub_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "cp_4", + "Name": "DE.DP-4", + "Description": "Event detection information is communicated.", + "Attributes": [ + { + "ItemId": "cp_4", + "Section": "Detect (DE)", + "SubSection": "Detection Processes (DE.DP)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_cloudwatch_logging_enabled", + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured", + "ec2_instance_imdsv2_enabled", + "elbv2_waf_acl_attached", + "guardduty_is_enabled", + "guardduty_no_high_severity_findings", + "securityhub_enabled" + ] + }, + { + "Id": "cp_5", + "Name": "DE.DP-5", + "Description": "Detection processes are continuously improved.", + "Attributes": [ + { + "ItemId": "cp_5", + "Section": "Detect (DE)", + "SubSection": "Detection Processes (DE.DP)", + "Service": "ec2" + } + ], + "Checks": [ + "ec2_instance_imdsv2_enabled" + ] + }, + { + "Id": "am_1", + "Name": "ID.AM-1", + "Description": "Physical devices and systems within the organization are inventoried.", + "Attributes": [ + { + "ItemId": "am_1", + "Section": "Identify (ID)", + "SubSection": "Asset Management (ID.AM)", + "Service": "aws" + } + ], + "Checks": [ + "config_recorder_all_regions_enabled", + "ec2_instance_managed_by_ssm" + ] + }, + { + "Id": "am_2", + "Name": "ID.AM-2", + "Description": "Software platforms and applications within the organization are inventoried.", + "Attributes": [ + { + "ItemId": "am_2", + "Section": "Identify (ID)", + "SubSection": "Asset Management (ID.AM)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_managed_by_ssm", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "am_3", + "Name": "ID.AM-3", + "Description": "Organizational communication and data flows are mapped.", + "Attributes": [ + { + "ItemId": "am_3", + "Section": "Identify (ID)", + "SubSection": "Asset Management (ID.AM)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_multi_region_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "am_5", + "Name": "ID.AM-5", + "Description": "Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value.", + "Attributes": [ + { + "ItemId": "am_5", + "Section": "Identify (ID)", + "SubSection": "Asset Management (ID.AM)", + "Service": "aws" + } + ], + "Checks": [] + }, + { + "Id": "am_6", + "Name": "ID.AM-6", + "Description": "Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established.", + "Attributes": [ + { + "ItemId": "am_6", + "Section": "Identify (ID)", + "SubSection": "Asset Management (ID.AM)", + "Service": "iam" + } + ], + "Checks": [] + }, + { + "Id": "be_5", + "Name": "ID.BE-5", + "Description": "Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations)", + "Attributes": [ + { + "ItemId": "be_5", + "Section": "Identify (ID)", + "SubSection": "Business Environment (ID.BE)", + "Service": "aws" + } + ], + "Checks": [ + "elbv2_deletion_protection", + "rds_instance_backup_enabled", + "rds_instance_multi_az", + "s3_bucket_object_versioning" + ] + }, + { + "Id": "ra_1", + "Name": "ID.RA-1", + "Description": "Asset vulnerabilities are identified and documented.", + "Attributes": [ + { + "ItemId": "ra_1", + "Section": "Identify (ID)", + "SubSection": "Risk Assessment (ID.RA)", + "Service": "aws" + } + ], + "Checks": [ + "guardduty_is_enabled", + "securityhub_enabled", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "ra_2", + "Name": "ID.RA-2", + "Description": "Cyber threat intelligence is received from information sharing forums and sources.", + "Attributes": [ + { + "ItemId": "ra_2", + "Section": "Identify (ID)", + "SubSection": "Risk Assessment (ID.RA)", + "Service": "aws" + } + ], + "Checks": [ + "guardduty_is_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "ra_3", + "Name": "ID.RA-3", + "Description": "Threats, both internal and external, are identified and documented.", + "Attributes": [ + { + "ItemId": "ra_3", + "Section": "Identify (ID)", + "SubSection": "Risk Assessment (ID.RA)", + "Service": "aws" + } + ], + "Checks": [ + "guardduty_is_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "ra_5", + "Name": "ID.RA-5", + "Description": "Threats, vulnerabilities, likelihoods, and impacts are used to determine risk.", + "Attributes": [ + { + "ItemId": "ra_5", + "Section": "Identify (ID)", + "SubSection": "Risk Assessment (ID.RA)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_cloudwatch_logging_enabled", + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured", + "config_recorder_all_regions_enabled", + "ec2_instance_imdsv2_enabled", + "guardduty_is_enabled", + "cloudwatch_log_metric_filter_for_s3_bucket_policy_changes", + "cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled", + "cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled", + "cloudwatch_log_metric_filter_authentication_failures", + "cloudwatch_log_metric_filter_sign_in_without_mfa", + "cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk", + "cloudwatch_log_metric_filter_policy_changes", + "cloudwatch_log_metric_filter_root_usage", + "cloudwatch_log_metric_filter_security_group_changes", + "cloudwatch_log_metric_filter_unauthorized_api_calls", + "rds_instance_enhanced_monitoring_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "sc_4", + "Name": "ID.SC-4", + "Description": "Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations.", + "Attributes": [ + { + "ItemId": "sc_4", + "Section": "Identify (ID)", + "SubSection": "Supply Chain Risk Management (ID.SC)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_cloudwatch_logging_enabled", + "config_recorder_all_regions_enabled", + "ec2_instance_imdsv2_enabled", + "guardduty_is_enabled", + "cloudwatch_log_metric_filter_for_s3_bucket_policy_changes", + "cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled", + "cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled", + "cloudwatch_log_metric_filter_authentication_failures", + "cloudwatch_log_metric_filter_sign_in_without_mfa", + "cloudwatch_log_metric_filter_disable_or_scheduled_deletion_of_kms_cmk", + "cloudwatch_log_metric_filter_policy_changes", + "cloudwatch_log_metric_filter_root_usage", + "cloudwatch_log_metric_filter_security_group_changes", + "cloudwatch_log_metric_filter_unauthorized_api_calls", + "rds_instance_enhanced_monitoring_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "ac_1", + "Name": "PR.AC-1", + "Description": "Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes.", + "Attributes": [ + { + "ItemId": "ac_1", + "Section": "Protect (PR)", + "SubSection": "Identity Management and Access Control (PR.AC)", + "Service": "aws" + } + ], + "Checks": [ + "iam_password_policy_reuse_24", + "iam_policy_no_administrative_privileges", + "iam_no_root_access_key", + "iam_rotate_access_key_90_days", + "iam_disable_90_days_credentials", + "secretsmanager_automatic_rotation_enabled" + ] + }, + { + "Id": "ac_3", + "Name": "PR.AC-3", + "Description": "Remote access is managed.", + "Attributes": [ + { + "ItemId": "ac_3", + "Section": "Protect (PR)", + "SubSection": "Identity Management and Access Control (PR.AC)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "emr_cluster_master_nodes_no_public_ip", + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_user_mfa_enabled_console_access", + "iam_user_mfa_enabled_console_access", + "awslambda_function_not_publicly_accessible", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "sagemaker_notebook_instance_without_direct_internet_access_configured", + "ec2_securitygroup_default_restrict_traffic", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "ac_4", + "Name": "PR.AC-4", + "Description": "Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties.", + "Attributes": [ + { + "ItemId": "ac_4", + "Section": "Protect (PR)", + "SubSection": "Identity Management and Access Control (PR.AC)", + "Service": "aws" + } + ], + "Checks": [ + "iam_policy_no_administrative_privileges", + "iam_no_root_access_key", + "iam_disable_90_days_credentials" + ] + }, + { + "Id": "ac_5", + "Name": "PR.AC-5", + "Description": "Network integrity is protected (e.g., network segregation, network segmentation).", + "Attributes": [ + { + "ItemId": "ac_5", + "Section": "Protect (PR)", + "SubSection": "Identity Management and Access Control (PR.AC)", + "Service": "aws" + } + ], + "Checks": [ + "acm_certificates_expiration_check", + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "emr_cluster_master_nodes_no_public_ip", + "awslambda_function_not_publicly_accessible", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "sagemaker_notebook_instance_without_direct_internet_access_configured", + "ec2_securitygroup_default_restrict_traffic", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "ac_6", + "Name": "PR.AC-6", + "Description": "Identities are proofed and bound to credentials and asserted in interactions.", + "Attributes": [ + { + "ItemId": "ac_6", + "Section": "Protect (PR)", + "SubSection": "Identity Management and Access Control (PR.AC)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "cloudtrail_multi_region_enabled", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled" + ] + }, + { + "Id": "ac_7", + "Name": "PR.AC-7", + "Description": "Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks).", + "Attributes": [ + { + "ItemId": "ac_7", + "Section": "Protect (PR)", + "SubSection": "Identity Management and Access Control (PR.AC)", + "Service": "iam" + } + ], + "Checks": [ + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_user_mfa_enabled_console_access", + "iam_user_mfa_enabled_console_access" + ] + }, + { + "Id": "ds_1", + "Name": "PR.DS-1", + "Description": "Data-at-rest is protected.", + "Attributes": [ + { + "ItemId": "ds_1", + "Section": "Protect (PR)", + "SubSection": "Data Security (PR.DS)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_kms_encryption_enabled", + "ec2_ebs_volume_encryption", + "efs_encryption_at_rest_enabled", + "opensearch_service_domains_encryption_at_rest_enabled", + "cloudwatch_log_group_kms_encryption_enabled", + "rds_instance_storage_encrypted", + "s3_bucket_default_encryption", + "sagemaker_notebook_instance_encryption_enabled", + "sns_topics_kms_encryption_at_rest_enabled" + ] + }, + { + "Id": "ds_2", + "Name": "PR.DS-2", + "Description": "Data-in-transit is protected.", + "Attributes": [ + { + "ItemId": "ds_2", + "Section": "Protect (PR)", + "SubSection": "Data Security (PR.DS)", + "Service": "aws" + } + ], + "Checks": [ + "acm_certificates_expiration_check", + "elb_ssl_listeners", + "opensearch_service_domains_node_to_node_encryption_enabled", + "s3_bucket_secure_transport_policy" + ] + }, + { + "Id": "ds_3", + "Name": "PR.DS-3", + "Description": "Assets are formally managed throughout removal, transfers, and disposition.", + "Attributes": [ + { + "ItemId": "ds_3", + "Section": "Protect (PR)", + "SubSection": "Data Security (PR.DS)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_managed_by_ssm", + "ssm_managed_compliant_patching", + "ec2_elastic_ip_unassgined" + ] + }, + { + "Id": "ds_4", + "Name": "PR.DS-4", + "Description": "Adequate capacity to ensure availability is maintained.", + "Attributes": [ + { + "ItemId": "ds_4", + "Section": "Protect (PR)", + "SubSection": "Data Security (PR.DS)", + "Service": "aws" + } + ], + "Checks": [ + "elbv2_deletion_protection", + "rds_instance_enhanced_monitoring_enabled", + "rds_instance_backup_enabled", + "rds_instance_multi_az", + "s3_bucket_object_versioning" + ] + }, + { + "Id": "ds_5", + "Name": "PR.DS-5", + "Description": "Protections against data leaks are implemented.", + "Attributes": [ + { + "ItemId": "ds_5", + "Section": "Protect (PR)", + "SubSection": "Data Security (PR.DS)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "ec2_ebs_public_snapshot", + "elbv2_logging_enabled", + "elb_logging_enabled", + "guardduty_is_enabled", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_server_access_logging_enabled", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "sagemaker_notebook_instance_without_direct_internet_access_configured", + "securityhub_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "ds_6", + "Name": "PR.DS-6", + "Description": "Integrity checking mechanisms are used to verify software, firmware, and information integrity.", + "Attributes": [ + { + "ItemId": "ds_6", + "Section": "Protect (PR)", + "SubSection": "Data Security (PR.DS)", + "Service": "cloudtrail" + } + ], + "Checks": [ + "cloudtrail_log_file_validation_enabled" + ] + }, + { + "Id": "ds_7", + "Name": "PR.DS-7", + "Description": "The development and testing environment(s) are separate from the production environment.", + "Attributes": [ + { + "ItemId": "ds_7", + "Section": "Protect (PR)", + "SubSection": "Data Security (PR.DS)", + "Service": "aws" + } + ], + "Checks": [ + "cloudtrail_log_file_validation_enabled", + "ec2_instance_managed_by_ssm", + "ec2_instance_older_than_specific_days", + "elbv2_deletion_protection", + "ssm_managed_compliant_patching", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22" + ] + }, + { + "Id": "ds_8", + "Name": "PR.DS-8", + "Description": "Integrity checking mechanisms are used to verify hardware integrity.", + "Attributes": [ + { + "ItemId": "ds_8", + "Section": "Protect (PR)", + "SubSection": "Data Security (PR.DS)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_managed_by_ssm", + "securityhub_enabled" + ] + }, + { + "Id": "ip_1", + "Name": "PR.IP-1", + "Description": "A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality).", + "Attributes": [ + { + "ItemId": "ip_1", + "Section": "Protect (PR)", + "SubSection": "Information Protection Processes and Procedures (PR.IP)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_managed_by_ssm", + "ec2_instance_older_than_specific_days", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "ip_2", + "Name": "PR.IP-2", + "Description": "A System Development Life Cycle to manage systems is implemented.", + "Attributes": [ + { + "ItemId": "ip_2", + "Section": "Protect (PR)", + "SubSection": "Information Protection Processes and Procedures (PR.IP)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_instance_managed_by_ssm" + ] + }, + { + "Id": "ip_3", + "Name": "PR.IP-3", + "Description": "Configuration change control processes are in place.", + "Attributes": [ + { + "ItemId": "ip_3", + "Section": "Protect (PR)", + "SubSection": "Information Protection Processes and Procedures (PR.IP)", + "Service": "elb" + } + ], + "Checks": [ + "elbv2_deletion_protection" + ] + }, + { + "Id": "ip_4", + "Name": "PR.IP-4", + "Description": "Backups of information are conducted, maintained, and tested periodically.", + "Attributes": [ + { + "ItemId": "ip_4", + "Section": "Protect (PR)", + "SubSection": "Information Protection Processes and Procedures (PR.IP)", + "Service": "aws" + } + ], + "Checks": [ + "dynamodb_tables_pitr_enabled", + "rds_instance_backup_enabled", + "s3_bucket_object_versioning" + ] + }, + { + "Id": "ip_7", + "Name": "PR.IP-7", + "Description": "Protection processes are improved.", + "Attributes": [ + { + "ItemId": "ip_7", + "Section": "Protect (PR)", + "SubSection": "Information Protection Processes and Procedures (PR.IP)", + "Service": "ec2" + } + ], + "Checks": [] + }, + { + "Id": "ip_8", + "Name": "PR.IP-8", + "Description": "Effectiveness of protection technologies is shared.", + "Attributes": [ + { + "ItemId": "ip_8", + "Section": "Protect (PR)", + "SubSection": "Information Protection Processes and Procedures (PR.IP)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot", + "ec2_instance_public_ip", + "eks_endpoints_not_publicly_accessible", + "emr_cluster_master_nodes_no_public_ip", + "awslambda_function_url_public", + "rds_instance_no_public_access", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks", + "s3_bucket_public_access", + "sagemaker_notebook_instance_without_direct_internet_access_configured" + ] + }, + { + "Id": "ip_9", + "Name": "PR.IP-9", + "Description": "Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed.", + "Attributes": [ + { + "ItemId": "ip_9", + "Section": "Protect (PR)", + "SubSection": "Information Protection Processes and Procedures (PR.IP)", + "Service": "aws" + } + ], + "Checks": [ + "dynamodb_tables_pitr_enabled", + "dynamodb_tables_pitr_enabled", + "efs_have_backup_enabled", + "efs_have_backup_enabled", + "elbv2_deletion_protection", + "rds_instance_backup_enabled", + "rds_instance_multi_az", + "rds_instance_backup_enabled", + "redshift_cluster_automated_snapshot", + "s3_bucket_object_versioning" + ] + }, + { + "Id": "ip_12", + "Name": "PR.IP-12", + "Description": "A vulnerability management plan is developed and implemented.", + "Attributes": [ + { + "ItemId": "ip_12", + "Section": "Protect (PR)", + "SubSection": "Information Protection Processes and Procedures (PR.IP)", + "Service": "aws" + } + ], + "Checks": [ + "config_recorder_all_regions_enabled", + "ec2_instance_managed_by_ssm", + "ssm_managed_compliant_patching", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "ma_2", + "Name": "PR.MA-2", + "Description": "Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access.", + "Attributes": [ + { + "ItemId": "ma_2", + "Section": "Protect (PR)", + "SubSection": "Maintenance (PR.MA)", + "Service": "cloudtrail" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "cloudtrail_multi_region_enabled" + ] + }, + { + "Id": "pt_1", + "Name": "PR.PT-1", + "Description": "Audit/log records are determined, documented, implemented, and reviewed in accordance with policy.", + "Attributes": [ + { + "ItemId": "pt_1", + "Section": "Protect (PR)", + "SubSection": "Protective Technology (PR.PT)", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "s3_bucket_server_access_logging_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "pt_3", + "Name": "PR.PT-3", + "Description": "The principle of least functionality is incorporated by configuring systems to provide only essential capabilities.", + "Attributes": [ + { + "ItemId": "pt_3", + "Section": "Protect (PR)", + "SubSection": "Protective Technology (PR.PT)", + "Service": "aws" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot", + "iam_policy_no_administrative_privileges", + "iam_no_root_access_key", + "awslambda_function_url_public", + "rds_snapshots_public_access", + "redshift_cluster_public_access", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_account_level_public_access_blocks" + ] + }, + { + "Id": "pt_4", + "Name": "PR.PT-4", + "Description": "Communications and control networks are protected.", + "Attributes": [ + { + "ItemId": "pt_4", + "Section": "Protect (PR)", + "SubSection": "Protective Technology (PR.PT)", + "Service": "aws" + } + ], + "Checks": [ + "awslambda_function_not_publicly_accessible", + "rds_instance_no_public_access", + "redshift_cluster_public_access", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "pt_5", + "Name": "PR.PT-5", + "Description": "Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations.", + "Attributes": [ + { + "ItemId": "pt_5", + "Section": "Protect (PR)", + "SubSection": "Protective Technology (PR.PT)", + "Service": "aws" + } + ], + "Checks": [ + "elbv2_deletion_protection", + "rds_instance_backup_enabled", + "rds_instance_multi_az", + "s3_bucket_object_versioning" + ] + }, + { + "Id": "rp_1", + "Name": "RC.RP-1", + "Description": "Recovery plan is executed during or after a cybersecurity incident.", + "Attributes": [ + { + "ItemId": "rp_1", + "Section": "Recover (RC)", + "SubSection": "Recovery Planning (RC.RP)", + "Service": "aws" + } + ], + "Checks": [ + "dynamodb_tables_pitr_enabled", + "dynamodb_tables_pitr_enabled", + "efs_have_backup_enabled", + "efs_have_backup_enabled", + "elbv2_deletion_protection", + "rds_instance_backup_enabled", + "rds_instance_backup_enabled", + "rds_instance_multi_az", + "rds_instance_backup_enabled", + "redshift_cluster_automated_snapshot", + "s3_bucket_object_versioning" + ] + }, + { + "Id": "an_2", + "Name": "RS.AN-2", + "Description": "The impact of the incident is understood.", + "Attributes": [ + { + "ItemId": "an_2", + "Section": "Respond (RS)", + "SubSection": "Analysis (RS.AN)", + "Service": "guardduty" + } + ], + "Checks": [ + "guardduty_no_high_severity_findings" + ] + }, + { + "Id": "mi_3", + "Name": "RS.MI-3", + "Description": "Newly identified vulnerabilities are mitigated or documented as accepted risks.", + "Attributes": [ + { + "ItemId": "mi_3", + "Section": "Respond (RS)", + "SubSection": "Mitigation (RS.MI)", + "Service": "guardduty" + } + ], + "Checks": [ + "guardduty_no_high_severity_findings" + ] + }, + { + "Id": "rp_1", + "Name": "RS.RP-1", + "Description": "Response plan is executed during or after an incident.", + "Attributes": [ + { + "ItemId": "rp_1", + "Section": "Respond (RS)", + "SubSection": "Response Planning (RS.RP)", + "Service": "aws" + } + ], + "Checks": [ + "dynamodb_tables_pitr_enabled", + "dynamodb_tables_pitr_enabled", + "efs_have_backup_enabled", + "efs_have_backup_enabled", + "elbv2_deletion_protection", + "rds_instance_backup_enabled", + "rds_instance_backup_enabled", + "rds_instance_multi_az", + "rds_instance_backup_enabled", + "redshift_cluster_automated_snapshot", + "s3_bucket_object_versioning" + ] + } + ] +} diff --git a/prowler/compliance/aws/pci_3.2.1_aws.json b/prowler/compliance/aws/pci_3.2.1_aws.json new file mode 100644 index 00000000..f05a949c --- /dev/null +++ b/prowler/compliance/aws/pci_3.2.1_aws.json @@ -0,0 +1,293 @@ +{ + "Framework": "PCI", + "Version": "3.2.1", + "Provider": "AWS", + "Description": "The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard. It's administered by the PCI Security Standards Council, which was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. PCI DSS applies to entities that store, process, or transmit cardholder data (CHD) or sensitive authentication data (SAD). This includes, but isn't limited to, merchants, processors, acquirers, issuers, and service providers. The PCI DSS is mandated by the card brands and administered by the Payment Card Industry Security Standards Council.", + "Requirements": [ + { + "Id": "autoscaling", + "Name": "Auto Scaling", + "Description": "This control checks whether your Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks. PCI DSS does not require load balancing or highly available configurations. However, this check aligns with AWS best practices.", + "Attributes": [ + { + "ItemId": "autoscaling", + "Service": "autoscaling" + } + ], + "Checks": [] + }, + { + "Id": "cloudtrail", + "Name": "CloudTrail", + "Description": "This section contains recommendations for configuring CloudTrail resources and options.", + "Attributes": [ + { + "ItemId": "cloudtrail", + "Service": "cloudtrail" + } + ], + "Checks": [ + "cloudtrail_kms_encryption_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_log_file_validation_enabled", + "cloudtrail_cloudwatch_logging_enabled" + ] + }, + { + "Id": "codebuild", + "Name": "CodeBuild", + "Description": "This section contains recommendations for configuring CodeBuild resources and options.", + "Attributes": [ + { + "ItemId": "codebuild", + "Service": "codebuild" + } + ], + "Checks": [] + }, + { + "Id": "config", + "Name": "Config", + "Description": "This section contains recommendations for configuring AWS Config.", + "Attributes": [ + { + "ItemId": "config", + "Service": "config" + } + ], + "Checks": [ + "config_recorder_all_regions_enabled" + ] + }, + { + "Id": "cw", + "Name": "CloudWatch", + "Description": "This section contains recommendations for configuring CloudWatch resources and options.", + "Attributes": [ + { + "ItemId": "cw", + "Service": "cloudwatch" + } + ], + "Checks": [ + "cloudwatch_log_metric_filter_root_usage" + ] + }, + { + "Id": "dms", + "Name": "DMS", + "Description": "This section contains recommendations for configuring AWS DMS resources and options.", + "Attributes": [ + { + "ItemId": "dms", + "Service": "dms" + } + ], + "Checks": [] + }, + { + "Id": "ec2", + "Name": "EC2", + "Description": "This section contains recommendations for configuring EC2 resources and options.", + "Attributes": [ + { + "ItemId": "ec2", + "Service": "ec2" + } + ], + "Checks": [ + "ec2_ebs_public_snapshot", + "ec2_securitygroup_default_restrict_traffic", + "ec2_elastic_ip_unassgined", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_3389", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "elbv2", + "Name": "ELBV2", + "Description": "This section contains recommendations for configuring Elastic Load Balancer resources and options.", + "Attributes": [ + { + "ItemId": "elbv2", + "Service": "elbv2" + } + ], + "Checks": [] + }, + { + "Id": "elasticsearch", + "Name": "Elasticsearch", + "Description": "This section contains recommendations for configuring Elasticsearch resources and options.", + "Attributes": [ + { + "ItemId": "elasticsearch", + "Service": "elasticsearch" + } + ], + "Checks": [ + "opensearch_service_domains_encryption_at_rest_enabled" + ] + }, + { + "Id": "guardduty", + "Name": "GuardDuty", + "Description": "This section contains recommendations for configuring AWS GuardDuty resources and options.", + "Attributes": [ + { + "ItemId": "guardduty", + "Service": "guardduty" + } + ], + "Checks": [ + "guardduty_is_enabled" + ] + }, + { + "Id": "iam", + "Name": "IAM", + "Description": "This section contains recommendations for configuring AWS IAM resources and options.", + "Attributes": [ + { + "ItemId": "iam", + "Service": "iam" + } + ], + "Checks": [ + "iam_no_root_access_key", + "iam_policy_no_administrative_privileges", + "iam_root_hardware_mfa_enabled", + "iam_root_mfa_enabled", + "iam_user_mfa_enabled_console_access", + "iam_disable_90_days_credentials", + "iam_password_policy_minimum_length_14", + "iam_password_policy_lowercase", + "iam_password_policy_number", + "iam_password_policy_number", + "iam_password_policy_symbol", + "iam_password_policy_uppercase" + ] + }, + { + "Id": "kms", + "Name": "KMS", + "Description": "This section contains recommendations for configuring AWS KMS resources and options.", + "Attributes": [ + { + "ItemId": "kms", + "Service": "kms" + } + ], + "Checks": [ + "kms_cmk_rotation_enabled" + ] + }, + { + "Id": "lambda", + "Name": "Lambda", + "Description": "This section contains recommendations for configuring Lambda resources and options.", + "Attributes": [ + { + "ItemId": "lambda", + "Service": "lambda" + } + ], + "Checks": [ + "awslambda_function_url_public", + "awslambda_function_not_publicly_accessible" + ] + }, + { + "Id": "opensearch", + "Name": "OpenSearch", + "Description": "This section contains recommendations for configuring OpenSearch resources and options.", + "Attributes": [ + { + "ItemId": "opensearch", + "Service": "opensearch" + } + ], + "Checks": [ + "opensearch_service_domains_encryption_at_rest_enabled" + ] + }, + { + "Id": "rds", + "Name": "RDS", + "Description": "This section contains recommendations for configuring AWS RDS resources and options.", + "Attributes": [ + { + "ItemId": "rds", + "Service": "rds" + } + ], + "Checks": [ + "rds_snapshots_public_access", + "rds_instance_no_public_access" + ] + }, + { + "Id": "redshift", + "Name": "Redshift", + "Description": "This section contains recommendations for configuring AWS Redshift resources and options.", + "Attributes": [ + { + "ItemId": "redshift", + "Service": "redshift" + } + ], + "Checks": [ + "redshift_cluster_public_access" + ] + }, + { + "Id": "s3", + "Name": "S3", + "Description": "This section contains recommendations for configuring AWS S3 resources and options.", + "Attributes": [ + { + "ItemId": "s3", + "Service": "s3" + } + ], + "Checks": [ + "s3_bucket_policy_public_write_access", + "s3_bucket_public_access", + "s3_bucket_default_encryption", + "s3_bucket_secure_transport_policy", + "s3_bucket_public_access" + ] + }, + { + "Id": "sagemaker", + "Name": "SageMaker", + "Description": "This section contains recommendations for configuring AWS Sagemaker resources and options.", + "Attributes": [ + { + "ItemId": "sagemaker", + "Service": "sagemaker" + } + ], + "Checks": [ + "sagemaker_notebook_instance_without_direct_internet_access_configured" + ] + }, + { + "Id": "ssm", + "Name": "SSM", + "Description": "This section contains recommendations for configuring AWS SSM resources and options.", + "Attributes": [ + { + "ItemId": "ssm", + "Service": "ssm" + } + ], + "Checks": [ + "ssm_managed_compliant_patching", + "ssm_managed_compliant_patching", + "ec2_instance_managed_by_ssm" + ] + } + ] +} diff --git a/prowler/compliance/aws/rbi_cyber_security_framework_aws.json b/prowler/compliance/aws/rbi_cyber_security_framework_aws.json new file mode 100644 index 00000000..6681634d --- /dev/null +++ b/prowler/compliance/aws/rbi_cyber_security_framework_aws.json @@ -0,0 +1,198 @@ +{ + "Framework": "RBI-Cyber-Security-Framework", + "Version": "", + "Provider": "AWS", + "Description": "The Reserve Bank had prescribed a set of baseline cyber security controls for primary (Urban) cooperative banks (UCBs) in October 2018. On further examination, it has been decided to prescribe a comprehensive cyber security framework for the UCBs, as a graded approach, based on their digital depth and interconnectedness with the payment systems landscape, digital products offered by them and assessment of cyber security risk. The framework would mandate implementation of progressively stronger security measures based on the nature, variety and scale of digital product offerings of banks.", + "Requirements": [ + { + "Id": "annex_i_1_1", + "Name": "Annex I (1.1)", + "Description": "UCBs should maintain an up-to-date business IT Asset Inventory Register containing the following fields, as a minimum: a) Details of the IT Asset (viz., hardware/software/network devices, key personnel, services, etc.), b. Details of systems where customer data are stored, c. Associated business applications, if any, d. Criticality of the IT asset (For example, High/Medium/Low).", + "Attributes": [ + { + "ItemId": "annex_i_1_1", + "Service": "ec2" + } + ], + "Checks": [ + "ec2_instance_managed_by_ssm" + ] + }, + { + "Id": "annex_i_1_3", + "Name": "Annex I (1.3)", + "Description": "Appropriately manage and provide protection within and outside UCB/network, keeping in mind how the data/information is stored, transmitted, processed, accessed and put to use within/outside the UCB’s network, and level of risk they are exposed to depending on the sensitivity of the data/information.", + "Attributes": [ + { + "ItemId": "annex_i_1_3", + "Service": "aws" + } + ], + "Checks": [ + "acm_certificates_expiration_check", + "apigateway_client_certificate_enabled", + "cloudtrail_kms_encryption_enabled", + "dynamodb_tables_kms_cmk_encryption_enabled", + "ec2_ebs_volume_encryption", + "ec2_ebs_public_snapshot", + "ec2_ebs_volume_encryption", + "ec2_instance_public_ip", + "efs_encryption_at_rest_enabled", + "elbv2_insecure_ssl_ciphers", + "elb_ssl_listeners", + "emr_cluster_master_nodes_no_public_ip", + "opensearch_service_domains_encryption_at_rest_enabled", + "opensearch_service_domains_node_to_node_encryption_enabled", + "kms_cmk_rotation_enabled", + "awslambda_function_not_publicly_accessible", + "awslambda_function_url_public", + "cloudwatch_log_group_kms_encryption_enabled", + "rds_instance_storage_encrypted", + "rds_instance_no_public_access", + "rds_instance_storage_encrypted", + "rds_snapshots_public_access", + "redshift_cluster_audit_logging", + "redshift_cluster_public_access", + "s3_bucket_default_encryption", + "s3_bucket_default_encryption", + "s3_bucket_secure_transport_policy", + "s3_bucket_public_access", + "s3_bucket_policy_public_write_access", + "s3_bucket_public_access", + "sagemaker_notebook_instance_without_direct_internet_access_configured", + "sagemaker_notebook_instance_encryption_enabled", + "sns_topics_kms_encryption_at_rest_enabled", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "annex_i_5_1", + "Name": "Annex I (5.1)", + "Description": "The firewall configurations should be set to the highest security level and evaluation of critical device (such as firewall, network switches, security devices, etc.) configurations should be done periodically.", + "Attributes": [ + { + "ItemId": "annex_i_5_1", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_waf_acl_attached", + "elbv2_waf_acl_attached", + "ec2_securitygroup_default_restrict_traffic", + "ec2_networkacl_allow_ingress_any_port", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22", + "ec2_networkacl_allow_ingress_any_port" + ] + }, + { + "Id": "annex_i_6", + "Name": "Annex I (6)", + "Description": "Put in place systems and processes to identify, track, manage and monitor the status of patches to servers, operating system and application software running at the systems used by the UCB officials (end-users). Implement and update antivirus protection for all servers and applicable end points preferably through a centralised system.", + "Attributes": [ + { + "ItemId": "annex_i_6", + "Service": "aws" + } + ], + "Checks": [ + "guardduty_no_high_severity_findings", + "rds_instance_minor_version_upgrade_enabled", + "redshift_cluster_automatic_upgrades", + "ssm_managed_compliant_patching", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "annex_i_7_1", + "Name": "Annex I (7.1)", + "Description": "Disallow administrative rights on end-user workstations/PCs/laptops and provide access rights on a ‘need to know’ and ‘need to do’ basis.", + "Attributes": [ + { + "ItemId": "annex_i_7_1", + "Service": "iam" + } + ], + "Checks": [ + "iam_policy_no_administrative_privileges", + "iam_policy_attached_only_to_group_or_roles", + "iam_policy_no_administrative_privileges", + "iam_no_root_access_key" + ] + }, + { + "Id": "annex_i_7_2", + "Name": "Annex I (7.2)", + "Description": "Passwords should be set as complex and lengthy and users should not use same passwords for all the applications/systems/devices.", + "Attributes": [ + { + "ItemId": "annex_i_7_2", + "Service": "iam" + } + ], + "Checks": [ + "iam_password_policy_reuse_24" + ] + }, + { + "Id": "annex_i_7_3", + "Name": "Annex I (7.3)", + "Description": "Remote Desktop Protocol (RDP) which allows others to access the computer remotely over a network or over the internet should be always disabled and should be enabled only with the approval of the authorised officer of the UCB. Logs for such remote access shall be enabled and monitored for suspicious activities.", + "Attributes": [ + { + "ItemId": "annex_i_7_3", + "Service": "vpc" + } + ], + "Checks": [ + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22" + ] + }, + { + "Id": "annex_i_7_4", + "Name": "Annex I (7.4)", + "Description": "Implement appropriate (e.g. centralised) systems and controls to allow, manage, log and monitor privileged/super user/administrative access to critical systems (servers/databases, applications, network devices etc.)", + "Attributes": [ + { + "ItemId": "annex_i_7_4", + "Service": "aws" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "cloudwatch_log_group_retention_policy_specific_days_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "opensearch_service_domains_cloudwatch_logging_enabled", + "rds_instance_integration_cloudwatch_logs", + "redshift_cluster_audit_logging", + "s3_bucket_server_access_logging_enabled", + "securityhub_enabled", + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "annex_i_12", + "Name": "Annex I (12)", + "Description": "Take periodic back up of the important data and store this data ‘off line’ (i.e., transferring important files to a storage device that can be detached from a computer/system after copying all the files).", + "Attributes": [ + { + "ItemId": "annex_i_12", + "Service": "aws" + } + ], + "Checks": [ + "dynamodb_tables_pitr_enabled", + "efs_have_backup_enabled", + "rds_instance_backup_enabled", + "rds_instance_backup_enabled", + "redshift_cluster_automated_snapshot", + "s3_bucket_object_versioning" + ] + } + ] +} diff --git a/prowler/compliance/aws/soc2_aws.json b/prowler/compliance/aws/soc2_aws.json new file mode 100644 index 00000000..ae1a46a3 --- /dev/null +++ b/prowler/compliance/aws/soc2_aws.json @@ -0,0 +1,914 @@ +{ + "Framework": "SOC2", + "Version": "", + "Provider": "AWS", + "Description": "System and Organization Controls (SOC), defined by the American Institute of Certified Public Accountants (AICPA), is the name of a set of reports that's produced during an audit. It's intended for use by service organizations (organizations that provide information systems as a service to other organizations) to issue validated reports of internal controls over those information systems to the users of those services. The reports focus on controls grouped into five categories known as Trust Service Principles.", + "Requirements": [ + { + "Id": "cc_1_1", + "Name": "CC1.1 COSO Principle 1: The entity demonstrates a commitment to integrity and ethical values", + "Description": "Sets the Tone at the Top - The board of directors and management, at all levels, demonstrate through their directives, actions, and behavior the importance of integrity and ethical values to support the functioning of the system of internal control.Establishes Standards of Conduct - The expectations of the board of directors and senior management concerning integrity and ethical values are defined in the entity’s standards of conduct and understood at all levels of the entity and by outsourced service providers and business partners. Evaluates Adherence to Standards of Conduct - Processes are in place to evaluate the performance of individuals and teams against the entity’s expected standards of conduct. Addresses Deviations in a Timely Manner - Deviations from the entity’s expected standards of conduct are identified and remedied in a timely and consistent manner.", + "Attributes": [ + { + "ItemId": "cc_1_1", + "Section": "CC1.0 - Common Criteria Related to Control Environment", + "Service": "aws", + "Soc_Type": "manual" + } + ], + "Checks": [] + }, + { + "Id": "cc_1_2", + "Name": "CC1.2 COSO Principle 2: The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control", + "Description": "Establishes Oversight Responsibilities - The board of directors identifies and accepts its oversight responsibilities in relation to established requirements and expectations. Applies Relevant Expertise - The board of directors defines, maintains, and periodically evaluates the skills and expertise needed among its members to enable them to ask probing questions of senior management and take commensurate action. Operates Independently - The board of directors has sufficient members who are independent from management and objective in evaluations and decision making. Additional point of focus specifically related to all engagements using the trust services criteria: Supplements Board Expertise - The board of directors supplements its expertise relevant to security, availability, processing integrity, confidentiality, and privacy, as needed, through the use of a subcommittee or consultants.", + "Attributes": [ + { + "ItemId": "cc_1_2", + "Section": "CC1.0 - Common Criteria Related to Control Environment", + "Service": "aws", + "Soc_Type": "manual" + } + ], + "Checks": [] + }, + { + "Id": "cc_1_3", + "Name": "CC1.3 COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives", + "Description": "Considers All Structures of the Entity - Management and the board of directors consider the multiple structures used (including operating units, legal entities, geographic distribution, and outsourced service providers) to support the achievement of objectives. Establishes Reporting Lines - Management designs and evaluates lines of reporting for each entity structure to enable execution of authorities and responsibilities and flow of information to manage the activities of the entity. Defines, Assigns, and Limits Authorities and Responsibilities - Management and the board of directors delegate authority, define responsibilities, and use appropriate processes and technology to assign responsibility and segregate duties as necessary at the various levels of the organization. Additional points of focus specifically related to all engagements using the trust services criteria: Addresses Specific Requirements When Defining Authorities and Responsibilities—Management and the board of directors consider requirements relevant to security, availability, processing integrity, confidentiality, and privacy when defining authorities and responsibilities. Considers Interactions With External Parties When Establishing Structures, Reporting Lines, Authorities, and Responsibilities — Management and the board of directors consider the need for the entity to interact with and monitor the activities of external parties when establishing structures, reporting lines, authorities, and responsibilities.", + "Attributes": [ + { + "ItemId": "cc_1_3", + "Section": "CC1.0 - Common Criteria Related to Control Environment", + "Service": "aws", + "Soc_Type": "automated" + } + ], + "Checks": [ + "iam_policy_attached_only_to_group_or_roles", + "iam_policy_no_administrative_privileges", + "iam_disable_90_days_credentials" + ] + }, + { + "Id": "cc_1_4", + "Name": "CC1.4 COSO Principle 4: The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives", + "Description": "Establishes Policies and Practices - Policies and practices reflect expectations of competence necessary to support the achievement of objectives. Evaluates Competence and Addresses Shortcomings - The board of directors and management evaluate competence across the entity and in outsourced service providers in relation to established policies and practices and act as necessary to address shortcomings.Attracts, Develops, and Retains Individuals - The entity provides the mentoring and training needed to attract, develop, and retain sufficient and competent personnel and outsourced service providers to support the achievement of objectives.Plans and Prepares for Succession - Senior management and the board of directors develop contingency plans for assignments of responsibility important for internal control.Additional point of focus specifically related to all engagements using the trust services criteria:Considers the Background of Individuals - The entity considers the background of potential and existing personnel, contractors, and vendor employees when determining whether to employ and retain the individuals.Considers the Technical Competency of Individuals - The entity considers the technical competency of potential and existing personnel, contractors, and vendor employees when determining whether to employ and retain the individuals.Provides Training to Maintain Technical Competencies - The entity provides training programs, including continuing education and training, to ensure skill sets and technical competency of existing personnel, contractors, and vendor employees are developed and maintained.", + "Attributes": [ + { + "ItemId": "cc_1_4", + "Section": "CC1.0 - Common Criteria Related to Control Environment", + "Service": "aws", + "Soc_Type": "manual" + } + ], + "Checks": [] + }, + { + "Id": "cc_1_5", + "Name": "CC1.5 COSO Principle 5: The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives", + "Description": "Enforces Accountability Through Structures, Authorities, and Responsibilities - Management and the board of directors establish the mechanisms to communicate and hold individuals accountable for performance of internal control responsibilities across the entity and implement corrective action as necessary. Establishes Performance Measures, Incentives, and Rewards - Management and the board of directors establish performance measures, incentives, and other rewards appropriate for responsibilities at all levels of the entity, reflecting appropriate dimensions of performance and expected standards of conduct, and considering the achievement of both short-term and longer-term objectives.Evaluates Performance Measures, Incentives, and Rewards for Ongoing Relevance - Management and the board of directors align incentives and rewards with the fulfillment of internal control responsibilities in the achievement of objectives.Considers Excessive Pressures - Management and the board of directors evaluate and adjust pressures associated with the achievement of objectives as they assign responsibilities, develop performance measures, and evaluate performance. Evaluates Performance and Rewards or Disciplines Individuals - Management and the board of directors evaluate performance of internal control responsibilities, including adherence to standards of conduct and expected levels of competence, and provide rewards or exercise disciplinary action, as appropriate.", + "Attributes": [ + { + "ItemId": "cc_1_5", + "Section": "CC1.0 - Common Criteria Related to Control Environment", + "Service": "aws", + "Soc_Type": "manual" + } + ], + "Checks": [] + }, + { + "Id": "cc_2_1", + "Name": "CC2.1 COSO Principle 13: The entity obtains or generates and uses relevant, quality information to support the functioning of internal control", + "Description": "Identifies Information Requirements - A process is in place to identify the information required and expected to support the functioning of the other components of internal control and the achievement of the entity’s objectives. Captures Internal and External Sources of Data - Information systems capture internal and external sources of data. Processes Relevant Data Into Information - Information systems process and transform relevant data into information. Maintains Quality Throughout Processing - Information systems produce information that is timely, current, accurate, complete, accessible, protected, verifiable, and retained. Information is reviewed to assess its relevance in supporting the internal control components.", + "Attributes": [ + { + "ItemId": "cc_2_1", + "Section": "CC2.0 - Common Criteria Related to Communication and Information", + "Service": "aws", + "Soc_Type": "automated" + } + ], + "Checks": [ + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "cloudtrail_multi_region_enabled", + "config_recorder_all_regions_enabled" + ] + }, + { + "Id": "cc_2_2", + "Name": "CC2.2 COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control", + "Description": "Communicates Internal Control Information - A process is in place to communicate required information to enable all personnel to understand and carry out their internal control responsibilities. Communicates With the Board of Directors - Communication exists between management and the board of directors so that both have information needed to fulfill their roles with respect to the entity’s objectives. Provides Separate Communication Lines - Separate communication channels, such as whistle-blower hotlines, are in place and serve as fail-safe mechanisms to enable anonymous or confidential communication when normal channels are inoperative or ineffective. Selects Relevant Method of Communication - The method of communication considers the timing, audience, and nature of the information. Additional point of focus specifically related to all engagements using the trust services criteria: Communicates Responsibilities - Entity personnel with responsibility for designing, developing, implementing,operating, maintaining, or monitoring system controls receive communications about their responsibilities, including changes in their responsibilities, and have the information necessary to carry out those responsibilities. Communicates Information on Reporting Failures, Incidents, Concerns, and Other Matters—Entity personnel are provided with information on how to report systems failures, incidents, concerns, and other complaints to personnel. Communicates Objectives and Changes to Objectives - The entity communicates its objectives and changes to those objectives to personnel in a timely manner. Communicates Information to Improve Security Knowledge and Awareness - The entity communicates information to improve security knowledge and awareness and to model appropriate security behaviors to personnel through a security awareness training program. Additional points of focus that apply only when an engagement using the trust services criteria is performed at the system level: Communicates Information About System Operation and Boundaries - The entity prepares and communicates information about the design and operation of the system and its boundaries to authorized personnel to enable them to understand their role in the system and the results of system operation. Communicates System Objectives - The entity communicates its objectives to personnel to enable them to carry out their responsibilities. Communicates System Changes - System changes that affect responsibilities or the achievement of the entity's objectives are communicated in a timely manner.", + "Attributes": [ + { + "ItemId": "cc_2_2", + "Section": "CC2.0 - Common Criteria Related to Communication and Information", + "Service": "aws", + "Soc_Type": "manual" + } + ], + "Checks": [] + }, + { + "Id": "cc_2_3", + "Name": "CC2.3 COSO Principle 15: The entity communicates with external parties regarding matters affecting the functioning of internal control", + "Description": "Communicates to External Parties - Processes are in place to communicate relevant and timely information to external parties, including shareholders, partners, owners, regulators, customers, financial analysts, and other external parties. Enables Inbound Communications - Open communication channels allow input from customers, consumers, suppliers, external auditors, regulators, financial analysts, and others, providing management and the board of directors with relevant information. Communicates With the Board of Directors - Relevant information resulting from assessments conducted by external parties is communicated to the board of directors. Provides Separate Communication Lines - Separate communication channels, such as whistle-blower hotlines, are in place and serve as fail-safe mechanisms to enable anonymous or confidential communication when normal channels are inoperative or ineffective. Selects Relevant Method of Communication - The method of communication considers the timing, audience, and nature of the communication and legal, regulatory, and fiduciary requirements and expectations. Communicates Objectives Related to Confidentiality and Changes to Objectives - The entity communicates, to external users, vendors, business partners and others whose products and services are part of the system, objectives and changes to objectives related to confidentiality. Additional point of focus that applies only to an engagement using the trust services criteria for privacy: Communicates Objectives Related to Privacy and Changes to Objectives - The entity communicates, to external users, vendors, business partners and others whose products and services are part of the system, objectives related to privacy and changes to those objectives. Additional points of focus that apply only when an engagement using the trust services criteria is performed at the system level: Communicates Information About System Operation and Boundaries - The entity prepares and communicates information about the design and operation of the system and its boundaries to authorized external users to permit users to understand their role in the system and the results of system operation. Communicates System Objectives - The entity communicates its system objectives to appropriate external users. Communicates System Responsibilities - External users with responsibility for designing, developing, implementing, operating, maintaining, and monitoring system controls receive communications about their responsibilities and have the information necessary to carry out those responsibilities. Communicates Information on Reporting System Failures, Incidents, Concerns, and Other Matters - External users are provided with information on how to report systems failures, incidents, concerns, and other complaints to appropriate personnel.", + "Attributes": [ + { + "ItemId": "cc_2_3", + "Section": "CC2.0 - Common Criteria Related to Communication and Information", + "Service": "aws", + "Soc_Type": "manual" + } + ], + "Checks": [] + }, + { + "Id": "cc_3_1", + "Name": "CC3.1 COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives", + "Description": "Operations Ojectives:Reflects Management's Choices - Operations objectives reflect management's choices about structure, industry considerations, and performance of the entity.Considers Tolerances for Risk - Management considers the acceptable levels of variation relative to the achievement of operations objectives.External Financial Reporting Objectives:Complies With Applicable Accounting Standards - Financial reporting objectives are consistent with accounting principles suitable and available for that entity. The accounting principles selected are appropriate in the circumstances.External Nonfinancial Reporting Objectives:Complies With Externally Established Frameworks - Management establishes objectives consistent with laws and regulations or standards and frameworks of recognized external organizations.Reflects Entity Activities - External reporting reflects the underlying transactions and events within a range of acceptable limits.Considers the Required Level of Precision—Management reflects the required level of precision and accuracy suitable for user needs and based on criteria established by third parties in nonfinancial reporting.Internal Reporting Objectives:Reflects Management's Choices - Internal reporting provides management with accurate and complete information regarding management's choices and information needed in managing the entity.Considers the Required Level of Precision—Management reflects the required level of precision and accuracy suitable for user needs in nonfinancial reporting objectives and materiality within financial reporting objectives.Reflects Entity Activities—Internal reporting reflects the underlying transactions and events within a range of acceptable limits.Compliance Objectives:Reflects External Laws and Regulations - Laws and regulations establish minimum standards of conduct, which the entity integrates into compliance objectives.Considers Tolerances for Risk - Management considers the acceptable levels of variation relative to the achievement of operations objectives.Additional point of focus specifically related to all engagements using the trust services criteria: Establishes Sub-objectives to Support Objectives—Management identifies sub-objectives related to security, availability, processing integrity, confidentiality, and privacy to support the achievement of the entity’s objectives related to reporting, operations, and compliance.", + "Attributes": [ + { + "ItemId": "cc_3_1", + "Section": "CC3.0 - Common Criteria Related to Risk Assessment", + "Service": "aws", + "Soc_Type": "automated" + } + ], + "Checks": [ + "guardduty_is_enabled", + "securityhub_enabled", + "config_recorder_all_regions_enabled" + ] + }, + { + "Id": "cc_3_2", + "Name": "CC3.2 COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed", + "Description": "Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels - The entity identifies and assesses risk at the entity, subsidiary, division, operating unit, and functional levels relevant to the achievement of objectives.Analyzes Internal and External Factors - Risk identification considers both internal and external factors and their impact on the achievement of objectives.Involves Appropriate Levels of Management - The entity puts into place effective risk assessment mechanisms that involve appropriate levels of management.Estimates Significance of Risks Identified - Identified risks are analyzed through a process that includes estimating the potential significance of the risk.Determines How to Respond to Risks - Risk assessment includes considering how the risk should be managed and whether to accept, avoid, reduce, or share the risk.Additional points of focus specifically related to all engagements using the trust services criteria:Identifies and Assesses Criticality of Information Assets and Identifies Threats and Vulnerabilities - The entity's risk identification and assessment process includes (1) identifying information assets, including physical devices and systems, virtual devices, software, data and data flows, external information systems, and organizational roles; (2) assessing the criticality of those information assets; (3) identifying the threats to the assets from intentional (including malicious) and unintentional acts and environmental events; and (4) identifying the vulnerabilities of the identified assets.", + "Attributes": [ + { + "ItemId": "cc_3_2", + "Section": "CC3.0 - Common Criteria Related to Risk Assessment", + "Service": "aws", + "Soc_Type": "automated" + } + ], + "Checks": [ + "ec2_instance_managed_by_ssm", + "ssm_managed_compliant_patching", + "guardduty_no_high_severity_findings", + "guardduty_is_enabled", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "cc_3_3", + "Name": "CC3.3 COSO Principle 8: The entity considers the potential for fraud in assessing risks to the achievement of objectives", + "Description": "Considers Various Types of Fraud - The assessment of fraud considers fraudulent reporting, possible loss of assets, and corruption resulting from the various ways that fraud and misconduct can occur.Assesses Incentives and Pressures - The assessment of fraud risks considers incentives and pressures.Assesses Opportunities - The assessment of fraud risk considers opportunities for unauthorized acquisition,use, or disposal of assets, altering the entity’s reporting records, or committing other inappropriate acts.Assesses Attitudes and Rationalizations - The assessment of fraud risk considers how management and other personnel might engage in or justify inappropriate actions.Additional point of focus specifically related to all engagements using the trust services criteria: Considers the Risks Related to the Use of IT and Access to Information - The assessment of fraud risks includes consideration of threats and vulnerabilities that arise specifically from the use of IT and access to information.", + "Attributes": [ + { + "ItemId": "cc_3_3", + "Section": "CC3.0 - Common Criteria Related to Risk Assessment", + "Service": "aws", + "Soc_Type": "manual" + } + ], + "Checks": [] + }, + { + "Id": "cc_3_4", + "Name": "CC3.4 COSO Principle 9: The entity identifies and assesses changes that could significantly impact the system of internal control", + "Description": "Assesses Changes in the External Environment - The risk identification process considers changes to the regulatory, economic, and physical environment in which the entity operates.Assesses Changes in the Business Model - The entity considers the potential impacts of new business lines, dramatically altered compositions of existing business lines, acquired or divested business operations on the system of internal control, rapid growth, changing reliance on foreign geographies, and new technologies.Assesses Changes in Leadership - The entity considers changes in management and respective attitudes and philosophies on the system of internal control.Assess Changes in Systems and Technology - The risk identification process considers changes arising from changes in the entity’s systems and changes in the technology environment.Assess Changes in Vendor and Business Partner Relationships - The risk identification process considers changes in vendor and business partner relationships.", + "Attributes": [ + { + "ItemId": "cc_3_4", + "Section": "CC3.0 - Common Criteria Related to Risk Assessment", + "Service": "config", + "Soc_Type": "automated" + } + ], + "Checks": [ + "config_recorder_all_regions_enabled" + ] + }, + { + "Id": "cc_4_1", + "Name": "CC4.1 COSO Principle 16: The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning", + "Description": "Considers a Mix of Ongoing and Separate Evaluations - Management includes a balance of ongoing and separate evaluations.Considers Rate of Change - Management considers the rate of change in business and business processes when selecting and developing ongoing and separate evaluations.Establishes Baseline Understanding - The design and current state of an internal control system are used to establish a baseline for ongoing and separate evaluations.Uses Knowledgeable Personnel - Evaluators performing ongoing and separate evaluations have sufficient knowledge to understand what is being evaluated.Integrates With Business Processes - Ongoing evaluations are built into the business processes and adjust to changing conditions.Adjusts Scope and Frequency—Management varies the scope and frequency of separate evaluations depending on risk.Objectively Evaluates - Separate evaluations are performed periodically to provide objective feedback.Considers Different Types of Ongoing and Separate Evaluations - Management uses a variety of different types of ongoing and separate evaluations, including penetration testing, independent certification made against established specifications (for example, ISO certifications), and internal audit assessments.", + "Attributes": [ + { + "ItemId": "cc_4_1", + "Section": "CC4.0 - Monitoring Activities", + "Service": "aws", + "Soc_Type": "manual" + } + ], + "Checks": [] + }, + { + "Id": "cc_4_2", + "Name": "CC4.2 COSO Principle 17: The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate", + "Description": "Assesses Results - Management and the board of directors, as appropriate, assess results of ongoing and separate evaluations.Communicates Deficiencies - Deficiencies are communicated to parties responsible for taking corrective action and to senior management and the board of directors, as appropriate.Monitors Corrective Action - Management tracks whether deficiencies are remedied on a timely basis.", + "Attributes": [ + { + "ItemId": "cc_4_2", + "Section": "CC4.0 - Monitoring Activities", + "Service": "guardduty", + "Soc_Type": "automated" + } + ], + "Checks": [ + "guardduty_is_enabled", + "guardduty_no_high_severity_findings" + ] + }, + { + "Id": "cc_5_1", + "Name": "CC5.1 COSO Principle 10: The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels", + "Description": "Integrates With Risk Assessment - Control activities help ensure that risk responses that address and mitigate risks are carried out.Considers Entity-Specific Factors - Management considers how the environment, complexity, nature, and scope of its operations, as well as the specific characteristics of its organization, affect the selection and development of control activities.Determines Relevant Business Processes - Management determines which relevant business processes require control activities.Evaluates a Mix of 2017 Data Submitted Types - Control activities include a range and variety of controls and may include a balance of approaches to mitigate risks, considering both manual and automated controls, and preventive and detective controls.Considers at What Level Activities Are Applied - Management considers control activities at various levels in the entity.Addresses Segregation of Duties - Management segregates incompatible duties, and where such segregation is not practical, management selects and develops alternative control activities.", + "Attributes": [ + { + "ItemId": "cc_5_1", + "Section": "CC5.0 - Control Activities", + "Service": "aws", + "Soc_Type": "manual" + } + ], + "Checks": [] + }, + { + "Id": "cc_5_2", + "Name": "CC5.2 COSO Principle 11: The entity also selects and develops general control activities over technology to support the achievement of objectives", + "Description": "Determines Dependency Between the Use of Technology in Business Processes and Technology General Controls - Management understands and determines the dependency and linkage between business processes, automated control activities, and technology general controls.Establishes Relevant Technology Infrastructure Control Activities - Management selects and develops control activities over the technology infrastructure, which are designed and implemented to help ensure the completeness, accuracy, and availability of technology processing.Establishes Relevant Security Management Process Controls Activities - Management selects and develops control activities that are designed and implemented to restrict technology access rights to authorized users commensurate with their job responsibilities and to protect the entity’s assets from external threats.Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities - Management selects and develops control activities over the acquisition, development, and maintenance of technology and its infrastructure to achieve management’s objectives.", + "Attributes": [ + { + "ItemId": "cc_5_2", + "Section": "CC5.0 - Control Activities", + "Service": "aws", + "Soc_Type": "manual" + } + ], + "Checks": [] + }, + { + "Id": "cc_5_3", + "Name": "CCC5.3 COSO Principle 12: The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action", + "Description": "Establishes Policies and Procedures to Support Deployment of Management ‘s Directives - Management establishes control activities that are built into business processes and employees’ day-to-day activities through policies establishing what is expected and relevant procedures specifying actions.Establishes Responsibility and Accountability for Executing Policies and Procedures - Management establishes responsibility and accountability for control activities with management (or other designated personnel) of the business unit or function in which the relevant risks reside.Performs in a Timely Manner - Responsible personnel perform control activities in a timely manner as defined by the policies and procedures.Takes Corrective Action - Responsible personnel investigate and act on matters identified as a result of executing control activities.Performs Using Competent Personnel - Competent personnel with sufficient authority perform control activities with diligence and continuing focus.Reassesses Policies and Procedures - Management periodically reviews control activities to determine their continued relevance and refreshes them when necessary.", + "Attributes": [ + { + "ItemId": "cc_5_3", + "Section": "CC5.0 - Control Activities", + "Service": "aws", + "Soc_Type": "manual" + } + ], + "Checks": [] + }, + { + "Id": "cc_6_1", + "Name": "CC6.1 The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives", + "Description": "Identifies and Manages the Inventory of Information Assets - The entity identifies, inventories, classifies, and manages information assets.Restricts Logical Access - Logical access to information assets, including hardware, data (at-rest, during processing, or in transmission), software, administrative authorities, mobile devices, output, and offline system components is restricted through the use of access control software and rule sets.Identifies and Authenticates Users - Persons, infrastructure and software are identified and authenticated prior to accessing information assets, whether locally or remotely.Considers Network Segmentation - Network segmentation permits unrelated portions of the entity's information system to be isolated from each other.Manages Points of Access - Points of access by outside entities and the types of data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified, documented, and managed.Restricts Access to Information Assets - Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access control rules for information assets.Manages Identification and Authentication - Identification and authentication requirements are established, documented, and managed for individuals and systems accessing entity information, infrastructure and software.Manages Credentials for Infrastructure and Software - New internal and external infrastructure and software are registered, authorized, and documented prior to being granted access credentials and implemented on the network or access point. Credentials are removed and access is disabled when access is no longer required or the infrastructure and software are no longer in use.Uses Encryption to Protect Data - The entity uses encryption to supplement other measures used to protect data-at-rest, when such protections are deemed appropriate based on assessed risk.Protects Encryption Keys - Processes are in place to protect encryption keys during generation, storage, use, and destruction.", + "Attributes": [ + { + "ItemId": "cc_6_1", + "Section": "CC6.0 - Logical and Physical Access", + "Service": "s3", + "Soc_Type": "automated" + } + ], + "Checks": [ + "s3_bucket_public_access" + ] + }, + { + "Id": "cc_6_2", + "Name": "CC6.2 Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity", + "Description": "Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized.Controls Access Credentials to Protected Assets - Information asset access credentials are created based on an authorization from the system's asset owner or authorized custodian.Removes Access to Protected Assets When Appropriate - Processes are in place to remove credential access when an individual no longer requires such access.Reviews Appropriateness of Access Credentials - The appropriateness of access credentials is reviewed on a periodic basis for unnecessary and inappropriate individuals with credentials.", + "Attributes": [ + { + "ItemId": "cc_6_2", + "Section": "CC6.0 - Logical and Physical Access", + "Service": "rds", + "Soc_Type": "automated" + } + ], + "Checks": [ + "rds_instance_no_public_access" + ] + }, + { + "Id": "cc_6_3", + "Name": "CC6.3 The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives", + "Description": "Creates or Modifies Access to Protected Information Assets - Processes are in place to create or modify access to protected information assets based on authorization from the asset’s owner.Removes Access to Protected Information Assets - Processes are in place to remove access to protected information assets when an individual no longer requires access.Uses Role-Based Access Controls - Role-based access control is utilized to support segregation of incompatible functions.", + "Attributes": [ + { + "ItemId": "cc_6_3", + "Section": "CC6.0 - Logical and Physical Access", + "Service": "iam", + "Soc_Type": "automated" + } + ], + "Checks": [ + "iam_policy_no_administrative_privileges" + ] + }, + { + "Id": "cc_6_4", + "Name": "CC6.4 The entity restricts physical access to facilities and protected information assets to authorized personnel to meet the entity’s objectives", + "Description": "Creates or Modifies Physical Access - Processes are in place to create or modify physical access to facilities such as data centers, office spaces, and work areas, based on authorization from the system's asset owner.Removes Physical Access - Processes are in place to remove access to physical resources when an individual no longer requires access.Reviews Physical Access - Processes are in place to periodically review physical access to ensure consistency with job responsibilities.", + "Attributes": [ + { + "ItemId": "cc_6_4", + "Section": "CC6.0 - Logical and Physical Access", + "Service": "aws", + "Soc_Type": "manual" + } + ], + "Checks": [] + }, + { + "Id": "cc_6_5", + "Name": "CC6.5 The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives", + "Description": "Identifies Data and Software for Disposal - Procedures are in place to identify data and software stored on equipment to be disposed and to render such data and software unreadable.Removes Data and Software From Entity Control - Procedures are in place to remove data and software stored on equipment to be removed from the physical control of the entity and to render such data and software unreadable.", + "Attributes": [ + { + "ItemId": "cc_6_5", + "Section": "CC6.0 - Logical and Physical Access", + "Service": "aws", + "Soc_Type": "manual" + } + ], + "Checks": [] + }, + { + "Id": "cc_6_6", + "Name": "CC6.6 The entity implements logical access security measures to protect against threats from sources outside its system boundaries", + "Description": "Restricts Access — The types of activities that can occur through a communication channel (for example, FTP site, router port) are restricted.Protects Identification and Authentication Credentials — Identification and authentication credentials are protected during transmission outside its system boundaries.Requires Additional Authentication or Credentials — Additional authentication information or credentials are required when accessing the system from outside its boundaries.Implements Boundary Protection Systems — Boundary protection systems (for example, firewalls, demilitarized zones, and intrusion detection systems) are implemented to protect external access points from attempts and unauthorized access and are monitored to detect such attempts.", + "Attributes": [ + { + "ItemId": "cc_6_6", + "Section": "CC6.0 - Logical and Physical Access", + "Service": "ec2", + "Soc_Type": "automated" + } + ], + "Checks": [ + "ec2_instance_public_ip" + ] + }, + { + "Id": "cc_6_7", + "Name": "CC6.7 The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives", + "Description": "Restricts the Ability to Perform Transmission - Data loss prevention processes and technologies are used to restrict ability to authorize and execute transmission, movement and removal of information.Uses Encryption Technologies or Secure Communication Channels to Protect Data - Encryption technologies or secured communication channels are used to protect transmission of data and other communications beyond connectivity access points.Protects Removal Media - Encryption technologies and physical asset protections are used for removable media (such as USB drives and back-up tapes), as appropriate.Protects Mobile Devices - Processes are in place to protect mobile devices (such as laptops, smart phones and tablets) that serve as information assets.", + "Attributes": [ + { + "ItemId": "cc_6_7", + "Section": "CC6.0 - Logical and Physical Access", + "Service": "acm", + "Soc_Type": "automated" + } + ], + "Checks": [ + "acm_certificates_expiration_check" + ] + }, + { + "Id": "cc_6_8", + "Name": "CC6.8 The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives", + "Description": "Restricts Application and Software Installation - The ability to install applications and software is restricted to authorized individuals.Detects Unauthorized Changes to Software and Configuration Parameters - Processes are in place to detect changes to software and configuration parameters that may be indicative of unauthorized or malicious software.Uses a Defined Change Control Process - A management-defined change control process is used for the implementation of software.Uses Antivirus and Anti-Malware Software - Antivirus and anti-malware software is implemented and maintained to provide for the interception or detection and remediation of malware.Scans Information Assets from Outside the Entity for Malware and Other Unauthorized Software - Procedures are in place to scan information assets that have been transferred or returned to the entity’s custody for malware and other unauthorized software and to remove any items detected prior to its implementation on the network.", + "Attributes": [ + { + "ItemId": "cc_6_8", + "Section": "CC6.0 - Logical and Physical Access", + "Service": "aws", + "Soc_Type": "automated" + } + ], + "Checks": [ + "guardduty_is_enabled", + "securityhub_enabled" + ] + }, + { + "Id": "cc_7_1", + "Name": "CC7.1 To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities", + "Description": "Uses Defined Configuration Standards - Management has defined configuration standards.Monitors Infrastructure and Software - The entity monitors infrastructure and software for noncompliance with the standards, which could threaten the achievement of the entity's objectives.Implements Change-Detection Mechanisms - The IT system includes a change-detection mechanism (for example, file integrity monitoring tools) to alert personnel to unauthorized modifications of critical system files, configuration files, or content files.Detects Unknown or Unauthorized Components - Procedures are in place to detect the introduction of unknown or unauthorized components.Conducts Vulnerability Scans - The entity conducts vulnerability scans designed to identify potential vulnerabilities or misconfigurations on a periodic basis and after any significant change in the environment and takes action to remediate identified deficiencies on a timely basis.", + "Attributes": [ + { + "ItemId": "cc_7_1", + "Section": "CC7.0 - System Operations", + "Service": "aws", + "Soc_Type": "automated" + } + ], + "Checks": [ + "guardduty_is_enabled", + "securityhub_enabled", + "ec2_instance_managed_by_ssm", + "ssm_managed_compliant_patching" + ] + }, + { + "Id": "cc_7_2", + "Name": "CC7.2 The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events", + "Description": "Implements Detection Policies, Procedures, and Tools - Detection policies and procedures are defined and implemented, and detection tools are implemented on Infrastructure and software to identify anomalies in the operation or unusual activity on systems. Procedures may include (1) a defined governance process for security event detection and management that includes provision of resources; (2) use of intelligence sources to identify newly discovered threats and vulnerabilities; and (3) logging of unusual system activities.Designs Detection Measures - Detection measures are designed to identify anomalies that could result from actual or attempted (1) compromise of physical barriers; (2) unauthorized actions of authorized personnel; (3) use of compromised identification and authentication credentials; (4) unauthorized access from outside the system boundaries; (5) compromise of authorized external parties; and (6) implementation or connection of unauthorized hardware and software.Implements Filters to Analyze Anomalies - Management has implemented procedures to filter, summarize, and analyze anomalies to identify security events.Monitors Detection Tools for Effective Operation - Management has implemented processes to monitor the effectiveness of detection tools.", + "Attributes": [ + { + "ItemId": "cc_7_2", + "Section": "CC7.0 - System Operations", + "Service": "aws", + "Soc_Type": "automated" + } + ], + "Checks": [ + "cloudtrail_cloudwatch_logging_enabled", + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "s3_bucket_server_access_logging_enabled", + "rds_instance_integration_cloudwatch_logs", + "cloudtrail_multi_region_enabled", + "securityhub_enabled", + "cloudwatch_log_group_retention_policy_specific_days_enabled", + "cloudtrail_multi_region_enabled", + "redshift_cluster_audit_logging", + "vpc_flow_logs_enabled", + "ec2_instance_imdsv2_enabled", + "guardduty_is_enabled", + "apigateway_logging_enabled", + "ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_22" + ] + }, + { + "Id": "cc_7_3", + "Name": "CC7.3 The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures", + "Description": "Responds to Security Incidents - Procedures are in place for responding to security incidents and evaluating the effectiveness of those policies and procedures on a periodic basis.Communicates and Reviews Detected Security Events - Detected security events are communicated to and reviewed by the individuals responsible for the management of the security program and actions are taken, if necessary.Develops and Implements Procedures to Analyze Security Incidents - Procedures are in place to analyze security incidents and determine system impact.Assesses the Impact on Personal Information - Detected security events are evaluated to determine whether they could or did result in the unauthorized disclosure or use of personal information and whether there has been a failure to comply with applicable laws or regulations.Determines Personal Information Used or Disclosed - When an unauthorized use or disclosure of personal information has occurred, the affected information is identified.", + "Attributes": [ + { + "ItemId": "cc_7_3", + "Section": "CC7.0 - System Operations", + "Service": "aws", + "Soc_Type": "automated" + } + ], + "Checks": [ + "cloudwatch_log_group_kms_encryption_enabled", + "cloudtrail_log_file_validation_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "guardduty_is_enabled", + "apigateway_logging_enabled", + "rds_instance_integration_cloudwatch_logs", + "securityhub_enabled", + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured", + "elbv2_logging_enabled", + "elb_logging_enabled", + "s3_bucket_server_access_logging_enabled", + "cloudwatch_log_group_retention_policy_specific_days_enabled", + "vpc_flow_logs_enabled", + "guardduty_no_high_severity_findings" + ] + }, + { + "Id": "cc_7_4", + "Name": "CC7.4 The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate", + "Description": "Assigns Roles and Responsibilities - Roles and responsibilities for the design, implementation, maintenance, and execution of the incident response program are assigned, including the use of external resources when necessary.Contains Security Incidents - Procedures are in place to contain security incidents that actively threaten entity objectives.Mitigates Ongoing Security Incidents - Procedures are in place to mitigate the effects of ongoing security incidents.Ends Threats Posed by Security Incidents - Procedures are in place to end the threats posed by security incidents through closure of the vulnerability, removal of unauthorized access, and other remediation actions.Restores Operations - Procedures are in place to restore data and business operations to an interim state that permits the achievement of entity objectives. Develops and Implements Communication Protocols for Security Incidents - Protocols for communicating security incidents and actions taken to affected parties are developed and implemented to meet the entity's objectives.Obtains Understanding of Nature of Incident and Determines Containment Strategy - An understanding of the nature (for example, the method by which the incident occurred and the affected system resources) and severity of the security incident is obtained to determine the appropriate containment strategy, including (1) a determination of the appropriate response time frame, and (2) the determination and execution of the containment approach.Remediates Identified Vulnerabilities - Identified vulnerabilities are remediated through the development and execution of remediation activities.Communicates Remediation Activities - Remediation activities are documented and communicated in accordance with the incident response program.Evaluates the Effectiveness of Incident Response - The design of incident response activities is evaluated for effectiveness on a periodic basis.Periodically Evaluates Incidents - Periodically, management reviews incidents related to security, availability, processing integrity, confidentiality, and privacy and identifies the need for system changes based on incident patterns and root causes. Communicates Unauthorized Use and Disclosure - Events that resulted in unauthorized use or disclosure of personal information are communicated to the data subjects, legal and regulatory authorities, and others as required.Application of Sanctions - The conduct of individuals and organizations operating under the authority of the entity and involved in the unauthorized use or disclosure of personal information is evaluated and, if appropriate, sanctioned in accordance with entity policies and legal and regulatory requirements.", + "Attributes": [ + { + "ItemId": "cc_7_4", + "Section": "CC7.0 - System Operations", + "Service": "aws", + "Soc_Type": "automated" + } + ], + "Checks": [ + "cloudwatch_changes_to_network_acls_alarm_configured", + "cloudwatch_changes_to_network_gateways_alarm_configured", + "cloudwatch_changes_to_network_route_tables_alarm_configured", + "cloudwatch_changes_to_vpcs_alarm_configured", + "dynamodb_tables_pitr_enabled", + "dynamodb_tables_pitr_enabled", + "efs_have_backup_enabled", + "efs_have_backup_enabled", + "guardduty_is_enabled", + "guardduty_no_high_severity_findings", + "rds_instance_backup_enabled", + "rds_instance_backup_enabled", + "rds_instance_backup_enabled", + "redshift_cluster_automated_snapshot", + "s3_bucket_object_versioning", + "securityhub_enabled" + ] + }, + { + "Id": "cc_7_5", + "Name": "CC7.5 The entity identifies, develops, and implements activities to recover from identified security incidents", + "Description": "Restores the Affected Environment - The activities restore the affected environment to functional operation by rebuilding systems, updating software, installing patches, and changing configurations, as needed.Communicates Information About the Event - Communications about the nature of the incident, recovery actions taken, and activities required for the prevention of future security events are made to management and others as appropriate (internal and external).Determines Root Cause of the Event - The root cause of the event is determined.Implements Changes to Prevent and Detect Recurrences - Additional architecture or changes to preventive and detective controls, or both, are implemented to prevent and detect recurrences on a timely basis.Improves Response and Recovery Procedures - Lessons learned are analyzed, and the incident response plan and recovery procedures are improved.Implements Incident Recovery Plan Testing - Incident recovery plan testing is performed on a periodic basis. The testing includes (1) development of testing scenarios based on threat likelihood and magnitude; (2) consideration of relevant system components from across the entity that can impair availability; (3) scenarios that consider the potential for the lack of availability of key personnel; and (4) revision of continuity plans and systems based on test results.", + "Attributes": [ + { + "ItemId": "cc_7_5", + "Section": "CC7.0 - System Operations", + "Service": "aws", + "Soc_Type": "manual" + } + ], + "Checks": [] + }, + { + "Id": "cc_8_1", + "Name": "CC8.1 The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives", + "Description": "Manages Changes Throughout the System Lifecycle - A process for managing system changes throughout the lifecycle of the system and its components (infrastructure, data, software and procedures) is used to support system availability and processing integrity.Authorizes Changes - A process is in place to authorize system changes prior to development.Designs and Develops Changes - A process is in place to design and develop system changes.Documents Changes - A process is in place to document system changes to support ongoing maintenance of the system and to support system users in performing their responsibilities.Tracks System Changes - A process is in place to track system changes prior to implementation.Configures Software - A process is in place to select and implement the configuration parameters used to control the functionality of software.Tests System Changes - A process is in place to test system changes prior to implementation.Approves System Changes - A process is in place to approve system changes prior to implementation.Deploys System Changes - A process is in place to implement system changes.Identifies and Evaluates System Changes - Objectives affected by system changes are identified, and the ability of the modified system to meet the objectives is evaluated throughout the system development life cycle.Identifies Changes in Infrastructure, Data, Software, and Procedures Required to Remediate Incidents - Changes in infrastructure, data, software, and procedures required to remediate incidents to continue to meet objectives are identified, and the change process is initiated upon identification.Creates Baseline Configuration of IT Technology - A baseline configuration of IT and control systems is created and maintained.Provides for Changes Necessary in Emergency Situations - A process is in place for authorizing, designing, testing, approving and implementing changes necessary in emergency situations (that is, changes that need to be implemented in an urgent timeframe).Protects Confidential Information - The entity protects confidential information during system design, development, testing, implementation, and change processes to meet the entity’s objectives related to confidentiality.Protects Personal Information - The entity protects personal information during system design, development, testing, implementation, and change processes to meet the entity’s objectives related to privacy.", + "Attributes": [ + { + "ItemId": "cc_8_1", + "Section": "CC8.0 - Change Management", + "Service": "aws", + "Soc_Type": "automated" + } + ], + "Checks": [ + "config_recorder_all_regions_enabled" + ] + }, + { + "Id": "cc_9_1", + "Name": "CC9.1 The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions", + "Description": "Considers Mitigation of Risks of Business Disruption - Risk mitigation activities include the development of planned policies, procedures, communications, and alternative processing solutions to respond to, mitigate, and recover from security events that disrupt business operations. Those policies and procedures include monitoring processes and information and communications to meet the entity's objectives during response, mitigation, and recovery efforts.Considers the Use of Insurance to Mitigate Financial Impact Risks - The risk management activities consider the use of insurance to offset the financial impact of loss events that would otherwise impair the ability of the entity to meet its objectives.", + "Attributes": [ + { + "ItemId": "cc_9_1", + "Section": "CC9.0 - Risk Mitigation", + "Service": "aws", + "Soc_Type": "manual" + } + ], + "Checks": [] + }, + { + "Id": "cc_9_2", + "Name": "CC9.2 The entity assesses and manages risks associated with vendors and business partners", + "Description": "Establishes Requirements for Vendor and Business Partner Engagements - The entity establishes specific requirements for a vendor and business partner engagement that includes (1) scope of services and product specifications, (2) roles and responsibilities, (3) compliance requirements, and (4) service levels.Assesses Vendor and Business Partner Risks - The entity assesses, on a periodic basis, the risks that vendors and business partners (and those entities’ vendors and business partners) represent to the achievement of the entity's objectives.Assigns Responsibility and Accountability for Managing Vendors and Business Partners - The entity assigns responsibility and accountability for the management of risks associated with vendors and business partners.Establishes Communication Protocols for Vendors and Business Partners - The entity establishes communication and resolution protocols for service or product issues related to vendors and business partners.Establishes Exception Handling Procedures From Vendors and Business Partners - The entity establishes exception handling procedures for service or product issues related to vendors and business partners.Assesses Vendor and Business Partner Performance - The entity periodically assesses the performance of vendors and business partners.Implements Procedures for Addressing Issues Identified During Vendor and Business Partner Assessments - The entity implements procedures for addressing issues identified with vendor and business partner relationships.Implements Procedures for Terminating Vendor and Business Partner Relationships - The entity implements procedures for terminating vendor and business partner relationships.Obtains Confidentiality Commitments from Vendors and Business Partners - The entity obtains confidentiality commitments that are consistent with the entity’s confidentiality commitments and requirements from vendors and business partners who have access to confidential information.Assesses Compliance With Confidentiality Commitments of Vendors and Business Partners - On a periodic and as-needed basis, the entity assesses compliance by vendors and business partners with the entity’s confidentiality commitments and requirements.Obtains Privacy Commitments from Vendors and Business Partners - The entity obtains privacy commitments, consistent with the entity’s privacy commitments and requirements, from vendors and business partners who have access to personal information.Assesses Compliance with Privacy Commitments of Vendors and Business Partners - On a periodic and as-needed basis, the entity assesses compliance by vendors and business partners with the entity’s privacy commitments and requirements and takes corrective action as necessary.", + "Attributes": [ + { + "ItemId": "cc_9_2", + "Section": "CC9.0 - Risk Mitigation", + "Service": "aws", + "Soc_Type": "manual" + } + ], + "Checks": [] + }, + { + "Id": "cc_a_1_1", + "Name": "A1.1 The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives", + "Description": "Measures Current Usage - The use of the system components is measured to establish a baseline for capacity management and to use when evaluating the risk of impaired availability due to capacity constraints.Forecasts Capacity - The expected average and peak use of system components is forecasted and compared to system capacity and associated tolerances. Forecasting considers capacity in the event of the failure of system components that constrain capacity.Makes Changes Based on Forecasts - The system change management process is initiated when forecasted usage exceeds capacity tolerances.", + "Attributes": [ + { + "ItemId": "cc_a_1_1", + "Section": "CCA1.0 - Additional Criterial for Availability", + "Service": "aws", + "Soc_Type": "manual" + } + ], + "Checks": [] + }, + { + "Id": "cc_a_1_2", + "Name": "A1.2 The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives", + "Description": "Measures Current Usage - The use of the system components is measured to establish a baseline for capacity management and to use when evaluating the risk of impaired availability due to capacity constraints.Forecasts Capacity - The expected average and peak use of system components is forecasted and compared to system capacity and associated tolerances. Forecasting considers capacity in the event of the failure of system components that constrain capacity.Makes Changes Based on Forecasts - The system change management process is initiated when forecasted usage exceeds capacity tolerances.", + "Attributes": [ + { + "ItemId": "cc_a_1_2", + "Section": "CCA1.0 - Additional Criterial for Availability", + "Service": "aws", + "Soc_Type": "automated" + } + ], + "Checks": [ + "apigateway_logging_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_multi_region_enabled", + "cloudtrail_cloudwatch_logging_enabled", + "dynamodb_tables_pitr_enabled", + "dynamodb_tables_pitr_enabled", + "efs_have_backup_enabled", + "efs_have_backup_enabled", + "elbv2_logging_enabled", + "elb_logging_enabled", + "rds_instance_backup_enabled", + "rds_instance_backup_enabled", + "rds_instance_integration_cloudwatch_logs", + "rds_instance_backup_enabled", + "redshift_cluster_automated_snapshot", + "s3_bucket_object_versioning" + ] + }, + { + "Id": "cc_a_1_3", + "Name": "A1.3 The entity tests recovery plan procedures supporting system recovery to meet its objectives", + "Description": "Implements Business Continuity Plan Testing - Business continuity plan testing is performed on a periodic basis. The testing includes (1) development of testing scenarios based on threat likelihood and magnitude; (2) consideration of system components from across the entity that can impair the availability; (3) scenarios that consider the potential for the lack of availability of key personnel; and (4) revision of continuity plans and systems based on test results.Tests Integrity and Completeness of Back-Up Data - The integrity and completeness of back-up information is tested on a periodic basis.", + "Attributes": [ + { + "ItemId": "cc_a_1_3", + "Section": "CCA1.0 - Additional Criterial for Availability", + "Service": "aws", + "Soc_Type": "manual" + } + ], + "Checks": [] + }, + { + "Id": "cc_c_1_1", + "Name": "C1.1 The entity identifies and maintains confidential information to meet the entity’s objectives related to confidentiality", + "Description": "Identifies Confidential information - Procedures are in place to identify and designate confidential information when it is received or created and to determine the period over which the confidential information is to be retained.Protects Confidential Information from Destruction - Procedures are in place to protect confidential information from erasure or destruction during the specified retention period of the information", + "Attributes": [ + { + "ItemId": "cc_c_1_1", + "Section": "CCC1.0 - Additional Criterial for Confidentiality", + "Service": "aws", + "Soc_Type": "automated" + } + ], + "Checks": [ + "rds_instance_deletion_protection" + ] + }, + { + "Id": "cc_c_1_2", + "Name": "C1.2 The entity disposes of confidential information to meet the entity’s objectives related to confidentiality", + "Description": "Identifies Confidential Information for Destruction - Procedures are in place to identify confidential information requiring destruction when the end of the retention period is reached.Destroys Confidential Information - Procedures are in place to erase or otherwise destroy confidential information that has been identified for destruction.", + "Attributes": [ + { + "ItemId": "cc_c_1_2", + "Section": "CCC1.0 - Additional Criterial for Confidentiality", + "Service": "s3", + "Soc_Type": "automated" + } + ], + "Checks": [ + "s3_bucket_object_versioning" + ] + }, + { + "Id": "p_1_1", + "Name": "P1.1 The entity provides notice to data subjects about its privacy practices to meet the entity’s objectives related to privacy", + "Description": "The entity provides notice to data subjects about its privacy practices to meet the entity’s objectives related to privacy. The notice is updated and communicated to data subjects in a timely manner for changes to the entity’s privacy practices, including changes in the use of personal information, to meet the entity’s objectives related to privacy.Communicates to Data Subjects - Notice is provided to data subjects regarding the following:Purpose for collecting personal informationChoice and consentTypes of personal information collectedMethods of collection (for example, use of cookies or other tracking techniques)Use, retention, and disposalAccessDisclosure to third partiesSecurity for privacyQuality, including data subjects’ responsibilities for qualityMonitoring and enforcementIf personal information is collected from sources other than the individual, such sources are described in the privacy notice.Provides Notice to Data Subjects - Notice is provided to data subjects (1) at or before the time personal information is collected or as soon as practical thereafter, (2) at or before the entity changes its privacy notice or as soon as practical thereafter, or (3) before personal information is used for new purposes not previously identified.Covers Entities and Activities in Notice - An objective description of the entities and activities covered is included in the entity’s privacy notice.Uses Clear and Conspicuous Language - The entity’s privacy notice is conspicuous and uses clear language.", + "Attributes": [ + { + "ItemId": "p_1_1", + "Section": "P1.0 - Privacy Criteria Related to Notice and Communication of Objectives Related to Privacy", + "Service": "aws", + "Soc_Type": "manual" + } + ], + "Checks": [] + }, + { + "Id": "p_2_1", + "Name": "P2.1 The entity communicates choices available regarding the collection, use, retention, disclosure, and disposal of personal information to the data subjects and the consequences, if any, of each choice", + "Description": "The entity communicates choices available regarding the collection, use, retention, disclosure, and disposal of personal information to the data subjects and the consequences, if any, of each choice. Explicit consent for the collection, use, retention, disclosure, and disposal of personal information is obtained from data subjects or other authorized persons, if required. Such consent is obtained only for the intended purpose of the information to meet the entity’s objectives related to privacy. The entity’s basis for determining implicit consent for the collection, use, retention, disclosure, and disposal of personal information is documented.Communicates to Data Subjects - Data subjects are informed (a) about the choices available to them with respect to the collection, use, and disclosure of personal information and (b) that implicit or explicit consent is required to collect, use, and disclose personal information, unless a law or regulation specifically requires or allows otherwise.Communicates Consequences of Denying or Withdrawing Consent - When personal information is collected, data subjects are informed of the consequences of refusing to provide personal information or denying or withdrawing consent to use personal information for purposes identified in the notice.Obtains Implicit or Explicit Consent - Implicit or explicit consent is obtained from data subjects at or before the time personal information is collected or soon thereafter. The individual’s preferences expressed in his or her consent are confirmed and implemented.Documents and Obtains Consent for New Purposes and Uses - If information that was previously collected is to be used for purposes not previously identified in the privacy notice, the new purpose is documented, the data subject is notified, and implicit or explicit consent is obtained prior to such new use or purpose.Obtains Explicit Consent for Sensitive Information - Explicit consent is obtained directly from the data subject when sensitive personal information is collected, used, or disclosed, unless a law or regulation specifically requires otherwise.", + "Attributes": [ + { + "ItemId": "p_2_1", + "Section": "P2.0 - Privacy Criteria Related to Choice and Consent", + "Service": "aws", + "Soc_Type": "manual" + } + ], + "Checks": [] + }, + { + "Id": "p_3_1", + "Name": "P3.1 Personal information is collected consistent with the entity’s objectives related to privacy", + "Description": "Limits the Collection of Personal Information - The collection of personal information is limited to that necessary to meet the entity’s objectives.Collects Information by Fair and Lawful Means - Methods of collecting personal information are reviewed by management before they are implemented to confirm that personal information is obtained (a) fairly, without intimidation or deception, and (b) lawfully, adhering to all relevant rules of law, whether derived from statute or common law, relating to the collection of personal information.Collects Information From Reliable Sources - Management confirms that third parties from whom personal information is collected (that is, sources other than the individual) are reliable sources that collect information fairly and lawfully.Informs Data Subjects When Additional Information Is Acquired - Data subjects are informed if the entity develops or acquires additional information about them for its use.", + "Attributes": [ + { + "ItemId": "p_3_1", + "Section": "P3.0 - Privacy Criteria Related to Collection", + "Service": "aws", + "Soc_Type": "manual" + } + ], + "Checks": [] + }, + { + "Id": "p_3_2", + "Name": "P3.2 For information requiring explicit consent, the entity communicates the need for such consent, as well as the consequences of a failure to provide consent for the request for personal information, and obtains the consent prior to the collection of the information to meet the entity’s objectives related to privacy", + "Description": "Obtains Explicit Consent for Sensitive Information - Explicit consent is obtained directly from the data subject when sensitive personal information is collected, used, or disclosed, unless a law or regulation specifically requires otherwise.Documents Explicit Consent to Retain Information - Documentation of explicit consent for the collection, use, or disclosure of sensitive personal information is retained in accordance with objectives related to privacy.", + "Attributes": [ + { + "ItemId": "p_3_2", + "Section": "P3.0 - Privacy Criteria Related to Collection", + "Service": "aws", + "Soc_Type": "manual" + } + ], + "Checks": [] + }, + { + "Id": "p_4_1", + "Name": "P4.1 The entity limits the use of personal information to the purposes identified in the entity’s objectives related to privacy", + "Description": "Uses Personal Information for Intended Purposes - Personal information is used only for the intended purposes for which it was collected and only when implicit or explicit consent has been obtained unless a law or regulation specifically requires otherwise.", + "Attributes": [ + { + "ItemId": "p_4_1", + "Section": "P4.0 - Privacy Criteria Related to Use, Retention, and Disposal", + "Service": "aws", + "Soc_Type": "manual" + } + ], + "Checks": [] + }, + { + "Id": "p_4_2", + "Name": "P4.2 The entity retains personal information consistent with the entity’s objectives related to privacy", + "Description": "Retains Personal Information - Personal information is retained for no longer than necessary to fulfill the stated purposes, unless a law or regulation specifically requires otherwise.Protects Personal Information - Policies and procedures have been implemented to protect personal information from erasure or destruction during the specified retention period of the information.", + "Attributes": [ + { + "ItemId": "p_4_2", + "Section": "P4.0 - Privacy Criteria Related to Use, Retention, and Disposal", + "Service": "aws", + "Soc_Type": "manual" + } + ], + "Checks": [] + }, + { + "Id": "p_4_3", + "Name": "P4.3 The entity securely disposes of personal information to meet the entity’s objectives related to privacy", + "Description": "Captures, Identifies, and Flags Requests for Deletion - Requests for deletion of personal information are captured, and information related to the requests is identified and flagged for destruction to meet the entity’s objectives related to privacy.Disposes of, Destroys, and Redacts Personal Information - Personal information no longer retained is anonymized, disposed of, or destroyed in a manner that prevents loss, theft, misuse, or unauthorized access.Destroys Personal Information - Policies and procedures are implemented to erase or otherwise destroy personal information that has been identified for destruction.", + "Attributes": [ + { + "ItemId": "p_4_3", + "Section": "P4.0 - Privacy Criteria Related to Use, Retention, and Disposal", + "Service": "aws", + "Soc_Type": "manual" + } + ], + "Checks": [] + }, + { + "Id": "p_5_1", + "Name": "P5.1 The entity grants identified and authenticated data subjects the ability to access their stored personal information for review and, upon request, provides physical or electronic copies of that information to data subjects to meet the entity’s objectives related to privacy", + "Description": "The entity grants identified and authenticated data subjects the ability to access their stored personal information for review and, upon request, provides physical or electronic copies of that information to data subjects to meet the entity’s objectives related to privacy. If access is denied, data subjects are informed of the denial and reason for such denial, as required, to meet the entity’s objectives related to privacy.Authenticates Data Subjects’ Identity - The identity of data subjects who request access to their personal information is authenticated before they are given access to that information.Permits Data Subjects Access to Their Personal Information - Data subjects are able to determine whether the entity maintains personal information about them and, upon request, may obtain access to their personal information.Provides Understandable Personal Information Within Reasonable Time - Personal information is provided to data subjects in an understandable form, in a reasonable time frame, and at a reasonable cost, if any.Informs Data Subjects If Access Is Denied - When data subjects are denied access to their personal information, the entity informs them of the denial and the reason for the denial in a timely manner, unless prohibited by law or regulation.", + "Attributes": [ + { + "ItemId": "p_5_1", + "Section": "P5.0 - Privacy Criteria Related to Access", + "Service": "aws", + "Soc_Type": "manual" + } + ], + "Checks": [] + }, + { + "Id": "p_5_2", + "Name": "P5.2 The entity corrects, amends, or appends personal information based on information provided by data subjects and communicates such information to third parties, as committed or required, to meet the entity’s objectives related to privacy", + "Description": "The entity corrects, amends, or appends personal information based on information provided by data subjects and communicates such information to third parties, as committed or required, to meet the entity’s objectives related to privacy. If a request for correction is denied, data subjects are informed of the denial and reason for such denial to meet the entity’s objectives related to privacy.Communicates Denial of Access Requests - Data subjects are informed, in writing, of the reason a request for access to their personal information was denied, the source of the entity’s legal right to deny such access, if applicable, and the individual’s right, if any, to challenge such denial, as specifically permitted or required by law or regulation.Permits Data Subjects to Update or Correct Personal Information - Data subjects are able to update or correct personal information held by the entity. The entity provides such updated or corrected information to third parties that were previously provided with the data subject’s personal information consistent with the entity’s objective related to privacy.Communicates Denial of Correction Requests - Data subjects are informed, in writing, about the reason a request for correction of personal information was denied and how they may appeal.", + "Attributes": [ + { + "ItemId": "p_5_2", + "Section": "P5.0 - Privacy Criteria Related to Access", + "Service": "aws", + "Soc_Type": "manual" + } + ], + "Checks": [] + }, + { + "Id": "p_6_1", + "Name": "P6.1 The entity discloses personal information to third parties with the explicit consent of data subjects, and such consent is obtained prior to disclosure to meet the entity’s objectives related to privacy", + "Description": "Communicates Privacy Policies to Third Parties - Privacy policies or other specific instructions or requirements for handling personal information are communicated to third parties to whom personal information is disclosed.Discloses Personal Information Only When Appropriate - Personal information is disclosed to third parties only for the purposes for which it was collected or created and only when implicit or explicit consent has been obtained from the data subject, unless a law or regulation specifically requires otherwise.Discloses Personal Information Only to Appropriate Third Parties - Personal information is disclosed only to third parties who have agreements with the entity to protect personal information in a manner consistent with the relevant aspects of the entity’s privacy notice or other specific instructions or requirements. The entity has procedures in place to evaluate that the third parties have effective controls to meet the terms of the agreement, instructions, or requirements.", + "Attributes": [ + { + "ItemId": "p_6_1", + "Section": "P6.0 - Privacy Criteria Related to Disclosure and Notification", + "Service": "aws", + "Soc_Type": "manual" + } + ], + "Checks": [] + }, + { + "Id": "p_6_2", + "Name": "P6.2 The entity creates and retains a complete, accurate, and timely record of authorized disclosures of personal information to meet the entity’s objectives related to privacy", + "Description": "Creates and Retains Record of Authorized Disclosures - The entity creates and maintains a record of authorized disclosures of personal information that is complete, accurate, and timely.", + "Attributes": [ + { + "ItemId": "p_6_2", + "Section": "P6.0 - Privacy Criteria Related to Disclosure and Notification", + "Service": "aws", + "Soc_Type": "manual" + } + ], + "Checks": [] + }, + { + "Id": "p_6_3", + "Name": "P6.3 The entity creates and retains a complete, accurate, and timely record of detected or reported unauthorized disclosures (including breaches) of personal information to meet the entity’s objectives related to privacy", + "Description": "Creates and Retains Record of Detected or Reported Unauthorized Disclosures - The entity creates and maintains a record of detected or reported unauthorized disclosures of personal information that is complete, accurate, and timely.", + "Attributes": [ + { + "ItemId": "p_6_3", + "Section": "P6.0 - Privacy Criteria Related to Disclosure and Notification", + "Service": "aws", + "Soc_Type": "manual" + } + ], + "Checks": [] + }, + { + "Id": "p_6_4", + "Name": "P6.4 The entity obtains privacy commitments from vendors and other third parties who have access to personal information to meet the entity’s objectives related to privacy", + "Description": "The entity obtains privacy commitments from vendors and other third parties who have access to personal information to meet the entity’s objectives related to privacy. The entity assesses those parties’ compliance on a periodic and as-needed basis and takes corrective action, if necessary.Discloses Personal Information Only to Appropriate Third Parties - Personal information is disclosed only to third parties who have agreements with the entity to protect personal information in a manner consistent with the relevant aspects of the entity’s privacy notice or other specific instructions or requirements. The entity has procedures in place to evaluate that the third parties have effective controls to meet the terms of the agreement, instructions, or requirements.Remediates Misuse of Personal Information by a Third Party - The entity takes remedial action in response to misuse of personal information by a third party to whom the entity has transferred such information.", + "Attributes": [ + { + "ItemId": "p_6_4", + "Section": "P6.0 - Privacy Criteria Related to Disclosure and Notification", + "Service": "aws", + "Soc_Type": "manual" + } + ], + "Checks": [] + }, + { + "Id": "p_6_5", + "Name": "P6.5 The entity obtains commitments from vendors and other third parties with access to personal information to notify the entity in the event of actual or suspected unauthorized disclosures of personal information", + "Description": "The entity obtains commitments from vendors and other third parties with access to personal information to notify the entity in the event of actual or suspected unauthorized disclosures of personal information. Such notifications are reported to appropriate personnel and acted on in accordance with established incident response procedures to meet the entity’s objectives related to privacy.Remediates Misuse of Personal Information by a Third Party - The entity takes remedial action in response to misuse of personal information by a third party to whom the entity has transferred such information.Reports Actual or Suspected Unauthorized Disclosures - A process exists for obtaining commitments from vendors and other third parties to report to the entity actual or suspected unauthorized disclosures of personal information.", + "Attributes": [ + { + "ItemId": "p_6_5", + "Section": "P6.0 - Privacy Criteria Related to Disclosure and Notification", + "Service": "aws", + "Soc_Type": "manual" + } + ], + "Checks": [] + }, + { + "Id": "p_6_6", + "Name": "P6.6 The entity provides notification of breaches and incidents to affected data subjects, regulators, and others to meet the entity’s objectives related to privacy", + "Description": "Remediates Misuse of Personal Information by a Third Party - The entity takes remedial action in response to misuse of personal information by a third party to whom the entity has transferred such information. Reports Actual or Suspected Unauthorized Disclosures - A process exists for obtaining commitments from vendors and other third parties to report to the entity actual or suspected unauthorized disclosures of personal information.", + "Attributes": [ + { + "ItemId": "p_6_6", + "Section": "P6.0 - Privacy Criteria Related to Disclosure and Notification", + "Service": "aws", + "Soc_Type": "manual" + } + ], + "Checks": [] + }, + { + "Id": "p_6_7", + "Name": "P6.7 The entity provides data subjects with an accounting of the personal information held and disclosure of the data subjects’ personal information, upon the data subjects’ request, to meet the entity’s objectives related to privacy", + "Description": "Identifies Types of Personal Information and Handling Process - The types of personal information and sensitive personal information and the related processes, systems, and third parties involved in the handling of such information are identified. Captures, Identifies, and Communicates Requests for Information - Requests for an accounting of personal information held and disclosures of the data subjects’ personal information are captured, and information related to the requests is identified and communicated to data subjects to meet the entity’s objectives related to privacy.", + "Attributes": [ + { + "ItemId": "p_6_7", + "Section": "P6.0 - Privacy Criteria Related to Disclosure and Notification", + "Service": "aws", + "Soc_Type": "manual" + } + ], + "Checks": [] + }, + { + "Id": "p_7_1", + "Name": "P7.1 The entity collects and maintains accurate, up-to-date, complete, and relevant personal information to meet the entity’s objectives related to privacy", + "Description": "Ensures Accuracy and Completeness of Personal Information - Personal information is accurate and complete for the purposes for which it is to be used. Ensures Relevance of Personal Information - Personal information is relevant to the purposes for which it is to be used.", + "Attributes": [ + { + "ItemId": "p_7_1", + "Section": "P7.0 - Privacy Criteria Related to Quality", + "Service": "aws", + "Soc_Type": "manual" + } + ], + "Checks": [] + }, + { + "Id": "p_8_1", + "Name": "P8.1 The entity implements a process for receiving, addressing, resolving, and communicating the resolution of inquiries, complaints, and disputes from data subjects and others and periodically monitors compliance to meet the entity’s objectives related to privacy", + "Description": "The entity implements a process for receiving, addressing, resolving, and communicating the resolution of inquiries, complaints, and disputes from data subjects and others and periodically monitors compliance to meet the entity’s objectives related to privacy. Corrections and other necessary actions related to identified deficiencies are made or taken in a timely manner.Communicates to Data Subjects—Data subjects are informed about how to contact the entity with inquiries, complaints, and disputes.Addresses Inquiries, Complaints, and Disputes - A process is in place to address inquiries, complaints, and disputes.Documents and Communicates Dispute Resolution and Recourse - Each complaint is addressed, and the resolution is documented and communicated to the individual.Documents and Reports Compliance Review Results - Compliance with objectives related to privacy are reviewed and documented, and the results of such reviews are reported to management. If problems are identified, remediation plans are developed and implemented.Documents and Reports Instances of Noncompliance - Instances of noncompliance with objectives related to privacy are documented and reported and, if needed, corrective and disciplinary measures are taken on a timely basis.Performs Ongoing Monitoring - Ongoing procedures are performed for monitoring the effectiveness of controls over personal information and for taking timely corrective actions when necessary.", + "Attributes": [ + { + "ItemId": "p_8_1", + "Section": "P8.0 - Privacy Criteria Related to Monitoring and Enforcement", + "Service": "aws", + "Soc_Type": "manual" + } + ], + "Checks": [] + } + ] +} diff --git a/prowler/config/config.py b/prowler/config/config.py index 5e954a71..90f42855 100644 --- a/prowler/config/config.py +++ b/prowler/config/config.py @@ -18,7 +18,28 @@ banner_color = "\033[1;92m" # Compliance compliance_specification_dir = "./compliance" - +available_compliance_frameworks = [ + "ens_rd2022_aws", + "cis_1.4_aws", + "cis_1.5_aws", + "aws_audit_manager_control_tower_guardrails_aws", + "aws_foundational_security_best_practices_aws", + "cisa_aws", + "fedramp_low_revision_4_aws", + "fedramp_moderate_revision_4_aws", + "ffiec_aws", + "gdpr_aws", + "gxp_eu_annex_11_aws", + "gxp_21_cfr_part_11_aws", + "hipaa_aws", + "nist_800_53_revision_4_aws", + "nist_800_53_revision_5_aws", + "nist_800_171_revision_2_aws", + "nist_csf_1.1_aws", + "pci_3.2.1_aws", + "rbi_cyber_security_framework_aws", + "soc2_aws", +] # AWS services-regions matrix json aws_services_json_file = "aws_regions_by_service.json" diff --git a/prowler/lib/check/compliance.py b/prowler/lib/check/compliance.py index 3ea62ee6..0ec60977 100644 --- a/prowler/lib/check/compliance.py +++ b/prowler/lib/check/compliance.py @@ -34,6 +34,7 @@ def update_checks_metadata_with_compliance( Framework=framework.Framework, Provider=framework.Provider, Version=framework.Version, + Description=framework.Description, Requirements=compliance_requirements, ) # Include the compliance framework for the check diff --git a/prowler/lib/check/compliance_models.py b/prowler/lib/check/compliance_models.py index 0de36aca..4103c370 100644 --- a/prowler/lib/check/compliance_models.py +++ b/prowler/lib/check/compliance_models.py @@ -1,6 +1,6 @@ import sys from enum import Enum -from typing import Any, List, Optional, Union +from typing import Optional, Union from pydantic import BaseModel, ValidationError @@ -27,25 +27,79 @@ class ENS_Requirements_Dimensiones(str, Enum): disponibilidad = "disponibilidad" +class ENS_Requirements_Tipos(str, Enum): + """ENS Requirements Tipos""" + + refuerzo = "refuerzo" + requisito = "requisito" + recomendacion = "recomendacion" + medida = "medida" + + class ENS_Requirements(BaseModel): """ENS V3 Framework Requirements""" IdGrupoControl: str Marco: str Categoria: str - Descripcion_Control: str - Nivel: list[ENS_Requirements_Nivel] + DescripcionControl: str + Tipo: ENS_Requirements_Tipos + Nivel: ENS_Requirements_Nivel Dimensiones: list[ENS_Requirements_Dimensiones] +# Generic Compliance Requirements +class Generic_Compliance_Requirements(BaseModel): + """Generic Compliance Requirements""" + + ItemId: str + Section: Optional[str] + SubSection: Optional[str] + SubGroup: Optional[str] + Service: str + Soc_Type: Optional[str] + + +class CIS_Requirements_Profile(str): + """CIS Requirements Profile""" + + Level_1 = "Level 1" + Level_2 = "Level 2" + + +class CIS_Requirements_AssessmentStatus(str): + """CIS Requirements Assessment Status""" + + Manual = "Manual" + Automated = "Automated" + + +# CIS Requirements +class CIS_Requirements(BaseModel): + """CIS Requirements""" + + Section: str + Profile: CIS_Requirements_Profile + AssessmentStatus: CIS_Requirements_AssessmentStatus + Description: str + RationaleStatement: str + ImpactStatement: str + RemediationProcedure: str + AuditProcedure: str + AdditionalInformation: str + References: str + + # Base Compliance Model class Compliance_Requirement(BaseModel): """Compliance_Requirement holds the base model for every requirement within a compliance framework""" Id: str Description: str - Attributes: list[Union[ENS_Requirements, Any]] - Checks: List[str] + Attributes: list[ + Union[CIS_Requirements, ENS_Requirements, Generic_Compliance_Requirements] + ] + Checks: list[str] class Compliance_Base_Model(BaseModel): @@ -54,6 +108,7 @@ class Compliance_Base_Model(BaseModel): Framework: str Provider: Optional[str] Version: str + Description: str Requirements: list[Compliance_Requirement] diff --git a/prowler/lib/cli/parser.py b/prowler/lib/cli/parser.py index d7ed7614..9b954896 100644 --- a/prowler/lib/cli/parser.py +++ b/prowler/lib/cli/parser.py @@ -2,7 +2,11 @@ import argparse import sys from argparse import RawTextHelpFormatter -from prowler.config.config import default_output_directory, prowler_version +from prowler.config.config import ( + available_compliance_frameworks, + default_output_directory, + prowler_version, +) from prowler.providers.aws.aws_provider import get_aws_available_regions from prowler.providers.aws.lib.arn.arn import is_valid_arn @@ -24,7 +28,6 @@ class ProwlerArgumentParser: epilog=""" To see the different available options on a specific provider, run: prowler {provider} -h|--help - Detailed documentation at https://docs.prowler.cloud """, ) @@ -212,7 +215,7 @@ Detailed documentation at https://docs.prowler.cloud "--compliance", nargs="+", help="Compliance Framework to check against for. The format should be the following: framework_version_provider (e.g.: ens_rd2022_aws)", - choices=["ens_rd2022_aws", "cis_1.4_aws", "cis_1.5_aws"], + choices=available_compliance_frameworks, ) group.add_argument( "--categories", @@ -241,7 +244,7 @@ Detailed documentation at https://docs.prowler.cloud "--list-compliance-requirements", nargs="+", help="List compliance requirements for a given requirement", - choices=["ens_rd2022_aws", "cis_1.4_aws", "cis_1.5_aws"], + choices=available_compliance_frameworks, ) list_group.add_argument( "--list-categories", diff --git a/prowler/lib/outputs/compliance.py b/prowler/lib/outputs/compliance.py index 7f20335c..7af8e340 100644 --- a/prowler/lib/outputs/compliance.py +++ b/prowler/lib/outputs/compliance.py @@ -9,97 +9,45 @@ from prowler.lib.logger import logger from prowler.lib.outputs.models import ( Check_Output_CSV_CIS, Check_Output_CSV_ENS_RD2022, + Check_Output_CSV_Generic_Compliance, generate_csv_fields, ) def fill_compliance(output_options, finding, audit_info, file_descriptors): - # We have to retrieve all the check's compliance requirements - check_compliance = output_options.bulk_checks_metadata[ - finding.check_metadata.CheckID - ].Compliance - csv_header = compliance_row = compliance_output = None - for compliance in check_compliance: - if ( - compliance.Framework == "ENS" - and compliance.Version == "RD2022" - and "ens_rd2022_aws" in output_options.output_modes - ): - compliance_output = "ens_rd2022_aws" - for requirement in compliance.Requirements: - requirement_description = requirement.Description - requirement_id = requirement.Id - for attribute in requirement.Attributes: - compliance_row = Check_Output_CSV_ENS_RD2022( - Provider=finding.check_metadata.Provider, - AccountId=audit_info.audited_account, - Region=finding.region, - AssessmentDate=timestamp.isoformat(), - Requirements_Id=requirement_id, - Requirements_Description=requirement_description, - Requirements_Attributes_IdGrupoControl=attribute.get( - "IdGrupoControl" - ), - Requirements_Attributes_Marco=attribute.get("Marco"), - Requirements_Attributes_Categoria=attribute.get("Categoria"), - Requirements_Attributes_DescripcionControl=attribute.get( - "DescripcionControl" - ), - Requirements_Attributes_Nivel=attribute.get("Nivel"), - Requirements_Attributes_Tipo=attribute.get("Tipo"), - Requirements_Attributes_Dimensiones=",".join( - attribute.get("Dimensiones") - ), - Status=finding.status, - StatusExtended=finding.status_extended, - ResourceId=finding.resource_id, - CheckId=finding.check_metadata.CheckID, - ) - - csv_header = generate_csv_fields(Check_Output_CSV_ENS_RD2022) - - elif compliance.Framework == "CIS-AWS" and "cis" in str( - output_options.output_modes - ): - # Only with the version of CIS that was selected - if "cis_" + compliance.Version + "_aws" in str(output_options.output_modes): - compliance_output = "cis_" + compliance.Version + "_aws" + try: + # We have to retrieve all the check's compliance requirements + check_compliance = output_options.bulk_checks_metadata[ + finding.check_metadata.CheckID + ].Compliance + for compliance in check_compliance: + csv_header = compliance_row = compliance_output = None + if ( + compliance.Framework == "ENS" + and compliance.Version == "RD2022" + and "ens_rd2022_aws" in output_options.output_modes + ): + compliance_output = "ens_rd2022_aws" for requirement in compliance.Requirements: requirement_description = requirement.Description requirement_id = requirement.Id for attribute in requirement.Attributes: - compliance_row = Check_Output_CSV_CIS( + compliance_row = Check_Output_CSV_ENS_RD2022( Provider=finding.check_metadata.Provider, + Description=compliance.Description, AccountId=audit_info.audited_account, Region=finding.region, AssessmentDate=timestamp.isoformat(), Requirements_Id=requirement_id, Requirements_Description=requirement_description, - Requirements_Attributes_Section=attribute.get("Section"), - Requirements_Attributes_Profile=attribute.get("Profile"), - Requirements_Attributes_AssessmentStatus=attribute.get( - "AssessmentStatus" - ), - Requirements_Attributes_Description=attribute.get( - "Description" - ), - Requirements_Attributes_RationaleStatement=attribute.get( - "RationaleStatement" - ), - Requirements_Attributes_ImpactStatement=attribute.get( - "ImpactStatement" - ), - Requirements_Attributes_RemediationProcedure=attribute.get( - "RemediationProcedure" - ), - Requirements_Attributes_AuditProcedure=attribute.get( - "AuditProcedure" - ), - Requirements_Attributes_AdditionalInformation=attribute.get( - "AdditionalInformation" - ), - Requirements_Attributes_References=attribute.get( - "References" + Requirements_Attributes_IdGrupoControl=attribute.IdGrupoControl, + Requirements_Attributes_Marco=attribute.Marco, + Requirements_Attributes_Categoria=attribute.Categoria, + Requirements_Attributes_DescripcionControl=attribute.DescripcionControl, + Requirements_Attributes_Nivel=attribute.Nivel, + Requirements_Attributes_Tipo=attribute.Tipo, + Requirements_Attributes_Dimensiones=",".join( + attribute.Dimensiones ), Status=finding.status, StatusExtended=finding.status_extended, @@ -107,15 +55,93 @@ def fill_compliance(output_options, finding, audit_info, file_descriptors): CheckId=finding.check_metadata.CheckID, ) - csv_header = generate_csv_fields(Check_Output_CSV_CIS) + csv_header = generate_csv_fields(Check_Output_CSV_ENS_RD2022) - if compliance_row: - csv_writer = DictWriter( - file_descriptors[compliance_output], - fieldnames=csv_header, - delimiter=";", - ) - csv_writer.writerow(compliance_row.__dict__) + elif compliance.Framework == "CIS" and "cis_" in str( + output_options.output_modes + ): + # Only with the version of CIS that was selected + if "cis_" + compliance.Version + "_aws" in str( + output_options.output_modes + ): + compliance_output = "cis_" + compliance.Version + "_aws" + for requirement in compliance.Requirements: + requirement_description = requirement.Description + requirement_id = requirement.Id + for attribute in requirement.Attributes: + compliance_row = Check_Output_CSV_CIS( + Provider=finding.check_metadata.Provider, + Description=compliance.Description, + AccountId=audit_info.audited_account, + Region=finding.region, + AssessmentDate=timestamp.isoformat(), + Requirements_Id=requirement_id, + Requirements_Description=requirement_description, + Requirements_Attributes_Section=attribute.Section, + Requirements_Attributes_Profile=attribute.Profile, + Requirements_Attributes_AssessmentStatus=attribute.AssessmentStatus, + Requirements_Attributes_Description=attribute.Description, + Requirements_Attributes_RationaleStatement=attribute.RationaleStatement, + Requirements_Attributes_ImpactStatement=attribute.ImpactStatement, + Requirements_Attributes_RemediationProcedure=attribute.RemediationProcedure, + Requirements_Attributes_AuditProcedure=attribute.AuditProcedure, + Requirements_Attributes_AdditionalInformation=attribute.AdditionalInformation, + Requirements_Attributes_References=attribute.References, + Status=finding.status, + StatusExtended=finding.status_extended, + ResourceId=finding.resource_id, + CheckId=finding.check_metadata.CheckID, + ) + + csv_header = generate_csv_fields(Check_Output_CSV_CIS) + + else: + compliance_output = compliance.Framework + if compliance.Version != "": + compliance_output += "_" + compliance.Version + if compliance.Provider != "": + compliance_output += "_" + compliance.Provider + + compliance_output = compliance_output.lower().replace("-", "_") + if compliance_output in output_options.output_modes: + for requirement in compliance.Requirements: + requirement_description = requirement.Description + requirement_id = requirement.Id + for attribute in requirement.Attributes: + compliance_row = Check_Output_CSV_Generic_Compliance( + Provider=finding.check_metadata.Provider, + Description=compliance.Description, + AccountId=audit_info.audited_account, + Region=finding.region, + AssessmentDate=timestamp.isoformat(), + Requirements_Id=requirement_id, + Requirements_Description=requirement_description, + Requirements_Attributes_Section=attribute.Section, + Requirements_Attributes_SubSection=attribute.SubSection, + Requirements_Attributes_SubGroup=attribute.SubGroup, + Requirements_Attributes_Service=attribute.Service, + Requirements_Attributes_Soc_Type=attribute.Soc_Type, + Status=finding.status, + StatusExtended=finding.status_extended, + ResourceId=finding.resource_id, + CheckId=finding.check_metadata.CheckID, + ) + + csv_header = generate_csv_fields( + Check_Output_CSV_Generic_Compliance + ) + + if compliance_row: + csv_writer = DictWriter( + file_descriptors[compliance_output], + fieldnames=csv_header, + delimiter=";", + ) + csv_writer.writerow(compliance_row.__dict__) + except Exception as error: + logger.error( + f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}" + ) def display_compliance_table( @@ -153,7 +179,7 @@ def display_compliance_table( for requirement in compliance.Requirements: for attribute in requirement.Attributes: marco_categoria = ( - f"{attribute['Marco']}/{attribute['Categoria']}" + f"{attribute.Marco}/{attribute.Categoria}" ) # Check if Marco/Categoria exists if marco_categoria not in marcos: @@ -171,13 +197,13 @@ def display_compliance_table( ] = f"{Fore.RED}NO CUMPLE{Style.RESET_ALL}" elif finding.status == "PASS": pass_count += 1 - if attribute["Nivel"] == "pytec": + if attribute.Nivel == "pytec": marcos[marco_categoria]["Pytec"] += 1 - elif attribute["Nivel"] == "alto": + elif attribute.Nivel == "alto": marcos[marco_categoria]["Alto"] += 1 - elif attribute["Nivel"] == "medio": + elif attribute.Nivel == "medio": marcos[marco_categoria]["Medio"] += 1 - elif attribute["Nivel"] == "bajo": + elif attribute.Nivel == "bajo": marcos[marco_categoria]["Bajo"] += 1 # Add results to table @@ -223,11 +249,11 @@ def display_compliance_table( print( f"{Style.BRIGHT}* Solo aparece el Marco/Categoria que contiene resultados.{Style.RESET_ALL}" ) - print("\nResultados detallados en:") + print(f"\nResultados detallados de {compliance_fm} en:") print( f" - CSV: {output_directory}/{output_filename}_{compliance_framework[0]}.csv\n" ) - if "cis" in str(compliance_framework): + elif "cis_1." in str(compliance_framework): sections = {} cis_compliance_table = { "Provider": [], @@ -240,14 +266,14 @@ def display_compliance_table( check = bulk_checks_metadata[finding.check_metadata.CheckID] check_compliances = check.Compliance for compliance in check_compliances: - if compliance.Framework == "CIS-AWS" and compliance.Version in str( + if compliance.Framework == "CIS" and compliance.Version in str( compliance_framework ): compliance_version = compliance.Version compliance_fm = compliance.Framework for requirement in compliance.Requirements: for attribute in requirement.Attributes: - section = attribute["Section"] + section = attribute.Section # Check if Section exists if section not in sections: sections[section] = { @@ -259,12 +285,12 @@ def display_compliance_table( fail_count += 1 elif finding.status == "PASS": pass_count += 1 - if attribute["Profile"] == "Level 1": + if attribute.Profile == "Level 1": if finding.status == "FAIL": sections[section]["Level 1"]["FAIL"] += 1 else: sections[section]["Level 1"]["PASS"] += 1 - elif attribute["Profile"] == "Level 2": + elif attribute.Profile == "Level 2": if finding.status == "FAIL": sections[section]["Level 2"]["FAIL"] += 1 else: @@ -291,7 +317,7 @@ def display_compliance_table( cis_compliance_table["Level 2"].append( f"{Fore.GREEN}PASS({sections[section]['Level 2']['PASS']}){Style.RESET_ALL}" ) - if fail_count + pass_count < 0: + if fail_count + pass_count < 1: print( f"\n {Style.BRIGHT}There are no resources for {Fore.YELLOW}{compliance_fm}-{compliance_version}{Style.RESET_ALL}.\n" ) @@ -317,10 +343,15 @@ def display_compliance_table( print( f"{Style.BRIGHT}* Only sections containing results appear.{Style.RESET_ALL}" ) - print("\nDetailed Results in:") + print(f"\nDetailed results of {compliance_fm} are in:") print( f" - CSV: {output_directory}/{output_filename}_{compliance_framework[0]}.csv\n" ) + else: + print(f"\nDetailed results of {compliance_framework[0].upper()} are in:") + print( + f" - CSV: {output_directory}/{output_filename}_{compliance_framework[0]}.csv\n" + ) except Exception as error: logger.critical( f"{error.__class__.__name__}:{error.__traceback__.tb_lineno} -- {error}" diff --git a/prowler/lib/outputs/file_descriptors.py b/prowler/lib/outputs/file_descriptors.py index 87bf66bb..dd06ffa9 100644 --- a/prowler/lib/outputs/file_descriptors.py +++ b/prowler/lib/outputs/file_descriptors.py @@ -15,6 +15,7 @@ from prowler.lib.outputs.models import ( Azure_Check_Output_CSV, Check_Output_CSV_CIS, Check_Output_CSV_ENS_RD2022, + Check_Output_CSV_Generic_Compliance, generate_csv_fields, ) from prowler.lib.utils.utils import file_exists, open_file @@ -41,18 +42,17 @@ def initialize_file_descriptor( "a", ) - if output_mode in ("csv", "ens_rd2022_aws", "cis_1.5_aws", "cis_1.4_aws"): + if output_mode in ("json", "json-asff"): + file_descriptor.write("[") + elif "html" in output_mode: + add_html_header(file_descriptor, audit_info) + else: # Format is the class model of the CSV format to print the headers csv_header = [x.upper() for x in generate_csv_fields(format)] csv_writer = DictWriter( file_descriptor, fieldnames=csv_header, delimiter=";" ) csv_writer.writeheader() - - if output_mode in ("json", "json-asff"): - file_descriptor.write("[") - if "html" in output_mode: - add_html_header(file_descriptor, audit_info) except Exception as error: logger.error( f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}" @@ -84,15 +84,14 @@ def fill_file_descriptors(output_modes, output_directory, output_filename, audit ) file_descriptors.update({output_mode: file_descriptor}) - if output_mode == "json": + elif output_mode == "json": filename = f"{output_directory}/{output_filename}{json_file_suffix}" file_descriptor = initialize_file_descriptor( filename, output_mode, audit_info ) file_descriptors.update({output_mode: file_descriptor}) - if isinstance(audit_info, AWS_Audit_Info): - + elif isinstance(audit_info, AWS_Audit_Info): if output_mode == "json-asff": filename = f"{output_directory}/{output_filename}{json_asff_file_suffix}" file_descriptor = initialize_file_descriptor( @@ -100,7 +99,7 @@ def fill_file_descriptors(output_modes, output_directory, output_filename, audit ) file_descriptors.update({output_mode: file_descriptor}) - if output_mode == "html": + elif output_mode == "html": filename = ( f"{output_directory}/{output_filename}{html_file_suffix}" ) @@ -109,7 +108,7 @@ def fill_file_descriptors(output_modes, output_directory, output_filename, audit ) file_descriptors.update({output_mode: file_descriptor}) - if output_mode == "ens_rd2022_aws": + elif output_mode == "ens_rd2022_aws": filename = f"{output_directory}/{output_filename}_ens_rd2022_aws{csv_file_suffix}" file_descriptor = initialize_file_descriptor( filename, @@ -119,19 +118,31 @@ def fill_file_descriptors(output_modes, output_directory, output_filename, audit ) file_descriptors.update({output_mode: file_descriptor}) - if output_mode == "cis_1.5_aws": + elif output_mode == "cis_1.5_aws": filename = f"{output_directory}/{output_filename}_cis_1.5_aws{csv_file_suffix}" file_descriptor = initialize_file_descriptor( filename, output_mode, audit_info, Check_Output_CSV_CIS ) file_descriptors.update({output_mode: file_descriptor}) - if output_mode == "cis_1.4_aws": + elif output_mode == "cis_1.4_aws": filename = f"{output_directory}/{output_filename}_cis_1.4_aws{csv_file_suffix}" file_descriptor = initialize_file_descriptor( filename, output_mode, audit_info, Check_Output_CSV_CIS ) file_descriptors.update({output_mode: file_descriptor}) + + else: + # Generic Compliance framework + filename = f"{output_directory}/{output_filename}_{output_mode}{csv_file_suffix}" + file_descriptor = initialize_file_descriptor( + filename, + output_mode, + audit_info, + Check_Output_CSV_Generic_Compliance, + ) + file_descriptors.update({output_mode: file_descriptor}) + except Exception as error: logger.error( f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}" diff --git a/prowler/lib/outputs/models.py b/prowler/lib/outputs/models.py index 7a78cf3a..59ddf06d 100644 --- a/prowler/lib/outputs/models.py +++ b/prowler/lib/outputs/models.py @@ -318,6 +318,7 @@ class Check_Output_CSV_ENS_RD2022(BaseModel): """ Provider: str + Description: str AccountId: str Region: str AssessmentDate: str @@ -338,10 +339,11 @@ class Check_Output_CSV_ENS_RD2022(BaseModel): class Check_Output_CSV_CIS(BaseModel): """ - Check_Output_CSV_ENS_RD2022 generates a finding's output in CSV CIS format. + Check_Output_CSV_CIS generates a finding's output in CSV CIS format. """ Provider: str + Description: str AccountId: str Region: str AssessmentDate: str @@ -363,6 +365,29 @@ class Check_Output_CSV_CIS(BaseModel): CheckId: str +class Check_Output_CSV_Generic_Compliance(BaseModel): + """ + Check_Output_CSV_Generic_Compliance generates a finding's output in CSV Generic Compliance format. + """ + + Provider: str + Description: str + AccountId: str + Region: str + AssessmentDate: str + Requirements_Id: str + Requirements_Description: str + Requirements_Attributes_Section: Optional[str] + Requirements_Attributes_SubSection: Optional[str] + Requirements_Attributes_SubGroup: Optional[str] + Requirements_Attributes_Service: str + Requirements_Attributes_Soc_Type: Optional[str] + Status: str + StatusExtended: str + ResourceId: str + CheckId: str + + # JSON ASFF Output class ProductFields(BaseModel): ProviderName: str = "Prowler" diff --git a/prowler/lib/outputs/outputs.py b/prowler/lib/outputs/outputs.py index a147f0fd..8e7a6e46 100644 --- a/prowler/lib/outputs/outputs.py +++ b/prowler/lib/outputs/outputs.py @@ -4,6 +4,7 @@ import sys from colorama import Fore, Style from prowler.config.config import ( + available_compliance_frameworks, csv_file_suffix, html_file_suffix, json_asff_file_suffix, @@ -82,9 +83,9 @@ def report(check_findings, output_options, audit_info): if not (finding.status != "FAIL" and output_options.is_quiet): # AWS specific outputs if finding.check_metadata.Provider == "aws": - if ( - "ens_rd2022_aws" in output_options.output_modes - or "cis" in str(output_options.output_modes) + if any( + compliance in output_options.output_modes + for compliance in available_compliance_frameworks ): fill_compliance( output_options,