Add GxP EU Annex 11 benchmark Closes #439 (#452)

Co-authored-by: rajmohanty17 <raj@turbot.com> Co-authored-by: misraved <ved@turbot.com>
turbot · Jul 27, 2022 · d761226 · d761226
1 parent 71162e0
commit d761226
Show file tree

Hide file tree

Showing 30 changed files with 401 additions and 13 deletions.
diff --git a/README.md b/README.md
@@ -1,6 +1,6 @@
 # AWS Compliance Mod for Steampipe
 
-475+ checks covering industry defined security best practices across all AWS regions. Includes full support for multiple best practice benchmarks including PCI DSS, AWS Foundational Security, CISA Cyber Essentials, FedRAMP, FFIEC, GxP 21 CFR Part 11, HIPAA, NIST 800-53, NIST CSF, Reserve Bank of India, Audit Manager Control Tower **and the latest (v1.4.0) CIS benchmarks**.
+475+ checks covering industry defined security best practices across all AWS regions. Includes full support for multiple best practice benchmarks including PCI DSS, AWS Foundational Security, CISA Cyber Essentials, FedRAMP, FFIEC, GxP 21 CFR Part 11, GxP EU Annex 11, HIPAA, NIST 800-53, NIST CSF, Reserve Bank of India, Audit Manager Control Tower **and the latest (v1.4.0) CIS benchmarks**.
 
 Run checks in a dashboard:
 ![image](https://raw.githubusercontent.com/turbot/steampipe-mod-aws-compliance/main/docs/aws_cis_v140_dashboard.png)
@@ -18,6 +18,7 @@ Includes support for:
 * [Federal Financial Institutions Examination Council (FFIEC)](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.ffiec)
 * [General Data Protection Regulation (GDPR)](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.gdpr)
 * [GxP 21 CFR Part 11](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.gxp_21_cfr_part_11)
+* [GxP EU Annex 11](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.gxp_eu_annex_11)
 * [HIPAA](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.hipaa)
 * [NIST 800-53 Revision 4](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.nist_800_53_rev_4)
 * [NIST 800-53 Revision 5](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.nist_800_53_rev_5)

diff --git a/conformance_pack/apigateway.sp b/conformance_pack/apigateway.sp
@@ -14,6 +14,7 @@ control "apigateway_stage_cache_encryption_at_rest_enabled" {
     fedramp_moderate_rev_4 = "true"
     gdpr                   = "true"
     gxp_21_cfr_part_11     = "true"
+    gxp_eu_annex_11        = "true"
     hipaa                  = "true"
     nist_800_53_rev_4      = "true"
     nist_800_53_rev_5      = "true"

diff --git a/conformance_pack/backup.sp b/conformance_pack/backup.sp
@@ -12,6 +12,7 @@ control "backup_recovery_point_manual_deletion_disabled" {
   tags = merge(local.conformance_pack_backup_common_tags, {
     cisa_cyber_essentials = "true"
     ffiec                 = "true"
+    gxp_eu_annex_11       = "true"
     hipaa                 = "true"
     nist_800_171_rev_2    = "true"
     nist_csf              = "true"
@@ -29,6 +30,7 @@ control "backup_plan_min_retention_35_days" {
     fedramp_low_rev_4      = "true"
     fedramp_moderate_rev_4 = "true"
     ffiec                  = "true"
+    gxp_eu_annex_11        = "true"
     hipaa                  = "true"
     nist_800_171_rev_2     = "true"
     nist_csf               = "true"
@@ -44,6 +46,7 @@ control "backup_recovery_point_encryption_enabled" {
   tags = merge(local.conformance_pack_backup_common_tags, {
     cisa_cyber_essentials = "true"
     ffiec                 = "true"
+    gxp_eu_annex_11       = "true"
     hipaa                 = "true"
     nist_800_171_rev_2    = "true"
     nist_csf              = "true"
@@ -59,6 +62,7 @@ control "backup_recovery_point_min_retention_35_days" {
   tags = merge(local.conformance_pack_backup_common_tags, {
     cisa_cyber_essentials = "true"
     ffiec                 = "true"
+    gxp_eu_annex_11       = "true"
     nist_800_171_rev_2    = "true"
   })
 }
diff --git a/conformance_pack/cloudtrail.sp b/conformance_pack/cloudtrail.sp
@@ -38,6 +38,7 @@ control "cloudtrail_s3_data_events_enabled" {
     ffiec                  = "true"
     gdpr                   = "true"
     gxp_21_cfr_part_11     = "true"
+    gxp_eu_annex_11        = "true"
     hipaa                  = "true"
     nist_800_171_rev_2     = "true"
     nist_800_53_rev_4      = "true"
@@ -59,6 +60,7 @@ control "cloudtrail_trail_logs_encrypted_with_kms_cmk" {
     fedramp_moderate_rev_4 = "true"
     gdpr                   = "true"
     gxp_21_cfr_part_11     = "true"
+    gxp_eu_annex_11        = "true"
     hipaa                  = "true"
     nist_800_171_rev_2     = "true"
     nist_800_53_rev_4      = "true"
@@ -119,6 +121,7 @@ control "cloudtrail_trail_enabled" {
     fedramp_moderate_rev_4 = "true"
     ffiec                  = "true"
     gxp_21_cfr_part_11     = "true"
+    gxp_eu_annex_11        = "true"
     hipaa                  = "true"
     nist_800_171_rev_2     = "true"
     nist_800_53_rev_4      = "true"

diff --git a/conformance_pack/cloudwatch.sp b/conformance_pack/cloudwatch.sp
@@ -33,6 +33,7 @@ control "log_group_encryption_at_rest_enabled" {
     fedramp_moderate_rev_4 = "true"
     gdpr                   = "true"
     gxp_21_cfr_part_11     = "true"
+    gxp_eu_annex_11        = "true"
     hipaa                  = "true"
     nist_800_171_rev_2     = "true"
     nist_800_53_rev_4      = "true"

diff --git a/conformance_pack/config.sp b/conformance_pack/config.sp
@@ -10,9 +10,10 @@ control "config_enabled_all_regions" {
   sql         = query.config_enabled_all_regions.sql
 
   tags = merge(local.conformance_pack_config_common_tags, {
-    gdpr     = "true"
-    hipaa    = "true"
-    nist_csf = "true"
-    soc_2    = "true"
+    gdpr            = "true"
+    gxp_eu_annex_11 = "true"
+    hipaa           = "true"
+    nist_csf        = "true"
+    soc_2           = "true"
   })
 }
diff --git a/conformance_pack/dax.sp b/conformance_pack/dax.sp
@@ -10,7 +10,8 @@ control "dax_cluster_encryption_at_rest_enabled" {
   sql         = query.dax_cluster_encryption_at_rest_enabled.sql
 
   tags = merge(local.conformance_pack_dax_common_tags, {
-    gdpr  = "true"
-    hipaa = "true"
+    gdpr            = "true"
+    gxp_eu_annex_11 = "true"
+    hipaa           = "true"
   })
 }
diff --git a/conformance_pack/dynamodb.sp b/conformance_pack/dynamodb.sp
@@ -34,6 +34,7 @@ control "dynamodb_table_point_in_time_recovery_enabled" {
     fedramp_moderate_rev_4 = "true"
     ffiec                  = "true"
     gxp_21_cfr_part_11     = "true"
+    gxp_eu_annex_11        = "true"
     hipaa                  = "true"
     nist_800_171_rev_2     = "true"
     nist_800_53_rev_4      = "true"
@@ -53,6 +54,7 @@ control "dynamodb_table_encrypted_with_kms" {
     cisa_cyber_essentials = "true"
     gdpr                  = "true"
     gxp_21_cfr_part_11    = "true"
+    gxp_eu_annex_11       = "true"
     hipaa                 = "true"
     nist_800_171_rev_2    = "true"
     nist_800_53_rev_4     = "true"
@@ -70,6 +72,7 @@ control "dynamodb_table_in_backup_plan" {
     cisa_cyber_essentials = "true"
     ffiec                 = "true"
     gxp_21_cfr_part_11    = "true"
+    gxp_eu_annex_11       = "true"
     hipaa                 = "true"
     nist_800_171_rev_2    = "true"
     nist_800_53_rev_4     = "true"
@@ -86,8 +89,9 @@ control "dynamodb_table_encryption_enabled" {
   sql         = query.dynamodb_table_encryption_enabled.sql
 
   tags = merge(local.conformance_pack_dynamodb_common_tags, {
-    gdpr  = "true"
-    hipaa = "true"
+    gdpr            = "true"
+    gxp_eu_annex_11 = "true"
+    hipaa           = "true"
   })
 }
 
@@ -100,6 +104,7 @@ control "dynamodb_table_protected_by_backup_plan" {
     cisa_cyber_essentials  = "true"
     fedramp_low_rev_4      = "true"
     fedramp_moderate_rev_4 = "true"
+    gxp_eu_annex_11        = "true"
     hipaa                  = "true"
     nist_800_171_rev_2     = "true"
     nist_csf               = "true"

diff --git a/conformance_pack/ebs.sp b/conformance_pack/ebs.sp
@@ -32,6 +32,7 @@ control "ebs_volume_encryption_at_rest_enabled" {
   tags = merge(local.conformance_pack_ebs_common_tags, {
     fedramp_moderate_rev_4 = "true"
     gdpr                   = "true"
+    gxp_eu_annex_11        = "true"
     hipaa                  = "true"
     nist_800_171_rev_2     = "true"
     nist_800_53_rev_5      = "true"
@@ -69,6 +70,7 @@ control "ebs_volume_in_backup_plan" {
     cisa_cyber_essentials = "true"
     ffiec                 = "true"
     gxp_21_cfr_part_11    = "true"
+    gxp_eu_annex_11       = "true"
     hipaa                 = "true"
     nist_800_171_rev_2    = "true"
     nist_800_53_rev_4     = "true"
@@ -103,6 +105,7 @@ control "ebs_volume_protected_by_backup_plan" {
     fedramp_low_rev_4      = "true"
     fedramp_moderate_rev_4 = "true"
     ffiec                  = "true"
+    gxp_eu_annex_11        = "true"
     hipaa                  = "true"
     nist_800_171_rev_2     = "true"
     nist_csf               = "true"

diff --git a/conformance_pack/ec2.sp b/conformance_pack/ec2.sp
@@ -13,6 +13,7 @@ control "ec2_ebs_default_encryption_enabled" {
     cisa_cyber_essentials = "true"
     ffiec                 = "true"
     gxp_21_cfr_part_11    = "true"
+    gxp_eu_annex_11       = "true"
     hipaa                 = "true"
     nist_800_171_rev_2    = "true"
     nist_800_53_rev_5     = "true"
@@ -104,6 +105,7 @@ control "ec2_instance_ebs_optimized" {
     fedramp_low_rev_4           = "true"
     fedramp_moderate_rev_4      = "true"
     gxp_21_cfr_part_11          = "true"
+    gxp_eu_annex_11             = "true"
     hipaa                       = "true"
     nist_800_171_rev_2          = "true"
     nist_800_53_rev_5           = "true"
@@ -136,6 +138,7 @@ control "ec2_instance_protected_by_backup_plan" {
     fedramp_low_rev_4      = "true"
     fedramp_moderate_rev_4 = "true"
     ffiec                  = "true"
+    gxp_eu_annex_11        = "true"
     hipaa                  = "true"
     nist_800_171_rev_2     = "true"
     nist_csf               = "true"

diff --git a/conformance_pack/efs.sp b/conformance_pack/efs.sp
@@ -13,6 +13,7 @@ control "efs_file_system_encrypt_data_at_rest" {
     ffiec              = "true"
     gdpr               = "true"
     gxp_21_cfr_part_11 = "true"
+    gxp_eu_annex_11    = "true"
     hipaa              = "true"
     nist_800_53_rev_4  = "true"
     nist_800_53_rev_5  = "true"
@@ -30,6 +31,7 @@ control "efs_file_system_in_backup_plan" {
   tags = merge(local.conformance_pack_efs_common_tags, {
     ffiec              = "true"
     gxp_21_cfr_part_11 = "true"
+    gxp_eu_annex_11    = "true"
     hipaa              = "true"
     nist_800_171_rev_2 = "true"
     nist_800_53_rev_4  = "true"
@@ -49,6 +51,7 @@ control "efs_file_system_protected_by_backup_plan" {
     cisa_cyber_essentials  = "true"
     fedramp_low_rev_4      = "true"
     fedramp_moderate_rev_4 = "true"
+    gxp_eu_annex_11        = "true"
     hipaa                  = "true"
     nist_800_171_rev_2     = "true"
     nist_csf               = "true"

diff --git a/conformance_pack/eks.sp b/conformance_pack/eks.sp
@@ -10,7 +10,8 @@ control "eks_cluster_secrets_encrypted" {
   sql         = query.eks_cluster_secrets_encrypted.sql
 
   tags = merge(local.conformance_pack_eks_common_tags, {
-    hipaa = "true"
+    gxp_eu_annex_11 = "true"
+    hipaa           = "true"
   })
 }
 

diff --git a/conformance_pack/elasticache.sp b/conformance_pack/elasticache.sp
@@ -15,6 +15,7 @@ control "elasticache_redis_cluster_automatic_backup_retention_15_days" {
     fedramp_moderate_rev_4 = "true"
     ffiec                  = "true"
     gxp_21_cfr_part_11     = "true"
+    gxp_eu_annex_11        = "true"
     hipaa                  = "true"
     nist_800_53_rev_4      = "true"
     nist_800_53_rev_5      = "true"

diff --git a/conformance_pack/elb.sp b/conformance_pack/elb.sp
@@ -150,6 +150,7 @@ control "elb_classic_lb_cross_zone_load_balancing_enabled" {
     fedramp_moderate_rev_4 = "true"
     ffiec                  = "true"
     gxp_21_cfr_part_11     = "true"
+    gxp_eu_annex_11        = "true"
     nist_800_171_rev_2     = "true"
     nist_800_53_rev_4      = "true"
     nist_800_53_rev_5      = "true"

diff --git a/conformance_pack/es.sp b/conformance_pack/es.sp
@@ -15,6 +15,7 @@ control "es_domain_encryption_at_rest_enabled" {
     ffiec                  = "true"
     gdpr                   = "true"
     gxp_21_cfr_part_11     = "true"
+    gxp_eu_annex_11        = "true"
     hipaa                  = "true"
     nist_800_171_rev_2     = "true"
     nist_800_53_rev_4      = "true"

diff --git a/conformance_pack/fsx.sp b/conformance_pack/fsx.sp
@@ -13,6 +13,7 @@ control "fsx_file_system_protected_by_backup_plan" {
     cisa_cyber_essentials  = "true"
     fedramp_low_rev_4      = "true"
     fedramp_moderate_rev_4 = "true"
+    gxp_eu_annex_11        = "true"
     hipaa                  = "true"
     nist_csf               = "true"
     soc_2                  = "true"

diff --git a/conformance_pack/rds.sp b/conformance_pack/rds.sp
@@ -15,6 +15,7 @@ control "rds_db_instance_backup_enabled" {
     fedramp_moderate_rev_4 = "true"
     ffiec                  = "true"
     gxp_21_cfr_part_11     = "true"
+    gxp_eu_annex_11        = "true"
     hipaa                  = "true"
     nist_800_171_rev_2     = "true"
     nist_800_53_rev_4      = "true"
@@ -36,6 +37,7 @@ control "rds_db_instance_encryption_at_rest_enabled" {
     ffiec                  = "true"
     gdpr                   = "true"
     gxp_21_cfr_part_11     = "true"
+    gxp_eu_annex_11        = "true"
     hipaa                  = "true"
     nist_800_53_rev_4      = "true"
     nist_800_53_rev_5      = "true"
@@ -96,6 +98,7 @@ control "rds_db_snapshot_encrypted_at_rest" {
     fedramp_moderate_rev_4      = "true"
     gdpr                        = "true"
     gxp_21_cfr_part_11          = "true"
+    gxp_eu_annex_11             = "true"
     hipaa                       = "true"
     nist_800_171_rev_2          = "true"
     nist_800_53_rev_4           = "true"
@@ -155,6 +158,7 @@ control "rds_db_instance_in_backup_plan" {
     ffiec                 = "true"
     gdpr                  = "true"
     gxp_21_cfr_part_11    = "true"
+    gxp_eu_annex_11       = "true"
     hipaa                 = "true"
     nist_800_53_rev_4     = "true"
     nist_800_53_rev_5     = "true"
@@ -229,6 +233,7 @@ control "rds_db_cluster_aurora_protected_by_backup_plan" {
     fedramp_low_rev_4      = "true"
     fedramp_moderate_rev_4 = "true"
     ffiec                  = "true"
+    gxp_eu_annex_11        = "true"
     hipaa                  = "true"
     nist_csf               = "true"
     soc_2                  = "true"
@@ -244,6 +249,7 @@ control "rds_db_instance_protected_by_backup_plan" {
     fedramp_low_rev_4      = "true"
     fedramp_moderate_rev_4 = "true"
     ffiec                  = "true"
+    gxp_eu_annex_11        = "true"
     hipaa                  = "true"
     nist_800_171_rev_2     = "true"
     nist_800_53_rev_5      = "true"

diff --git a/conformance_pack/redshift.sp b/conformance_pack/redshift.sp
@@ -37,6 +37,7 @@ control "redshift_cluster_encryption_logging_enabled" {
     ffiec                  = "true"
     gdpr                   = "true"
     gxp_21_cfr_part_11     = "true"
+    gxp_eu_annex_11        = "true"
     hipaa                  = "true"
     nist_800_53_rev_4      = "true"
     nist_800_53_rev_5      = "true"
@@ -78,6 +79,7 @@ control "redshift_cluster_automatic_snapshots_min_7_days" {
     ffiec                  = "true"
     gdpr                   = "true"
     gxp_21_cfr_part_11     = "true"
+    gxp_eu_annex_11        = "true"
     hipaa                  = "true"
     nist_800_53_rev_5      = "true"
     nist_csf               = "true"

diff --git a/conformance_pack/s3.sp b/conformance_pack/s3.sp
@@ -15,6 +15,7 @@ control "s3_bucket_cross_region_replication_enabled" {
     fedramp_moderate_rev_4 = "true"
     ffiec                  = "true"
     gxp_21_cfr_part_11     = "true"
+    gxp_eu_annex_11        = "true"
     hipaa                  = "true"
     nist_800_53_rev_4      = "true"
     nist_800_53_rev_5      = "true"
@@ -35,6 +36,7 @@ control "s3_bucket_default_encryption_enabled" {
     fedramp_moderate_rev_4 = "true"
     gdpr                   = "true"
     gxp_21_cfr_part_11     = "true"
+    gxp_eu_annex_11        = "true"
     hipaa                  = "true"
     nist_800_171_rev_2     = "true"
     nist_800_53_rev_4      = "true"
@@ -157,6 +159,7 @@ control "s3_bucket_versioning_enabled" {
     fedramp_moderate_rev_4      = "true"
     ffiec                       = "true"
     gxp_21_cfr_part_11          = "true"
+    gxp_eu_annex_11             = "true"
     hipaa                       = "true"
     nist_800_171_rev_2          = "true"
     nist_800_53_rev_4           = "true"
@@ -215,6 +218,7 @@ control "s3_bucket_default_encryption_enabled_kms" {
     ffiec                  = "true"
     gdpr                   = "true"
     gxp_21_cfr_part_11     = "true"
+    gxp_eu_annex_11        = "true"
     hipaa                  = "true"
     nist_800_171_rev_2     = "true"
     nist_800_53_rev_5      = "true"

diff --git a/conformance_pack/sagemaker.sp b/conformance_pack/sagemaker.sp
@@ -35,6 +35,7 @@ control "sagemaker_notebook_instance_encryption_at_rest_enabled" {
     fedramp_moderate_rev_4 = "true"
     gdpr                   = "true"
     gxp_21_cfr_part_11     = "true"
+    gxp_eu_annex_11        = "true"
     hipaa                  = "true"
     nist_800_53_rev_4      = "true"
     nist_800_53_rev_5      = "true"
@@ -54,6 +55,7 @@ control "sagemaker_endpoint_configuration_encryption_at_rest_enabled" {
     fedramp_moderate_rev_4 = "true"
     gdpr                   = "true"
     gxp_21_cfr_part_11     = "true"
+    gxp_eu_annex_11        = "true"
     hipaa                  = "true"
     nist_800_171_rev_2     = "true"
     nist_800_53_rev_4      = "true"

diff --git a/conformance_pack/securityhub.sp b/conformance_pack/securityhub.sp
@@ -15,6 +15,7 @@ control "securityhub_enabled" {
     fedramp_moderate_rev_4 = "true"
     ffiec                  = "true"
     gxp_21_cfr_part_11     = "true"
+    gxp_eu_annex_11        = "true"
     hipaa                  = "true"
     nist_800_171_rev_2     = "true"
     nist_800_53_rev_4      = "true"