diff --git a/README.md b/README.md
index aa222263..9fb31b62 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
# AWS Compliance Mod for Steampipe
-475+ checks covering industry defined security best practices across all AWS regions. Includes full support for multiple best practice benchmarks including PCI DSS, AWS Foundational Security, CISA Cyber Essentials, FedRAMP, FFIEC, GxP 21 CFR Part 11, HIPAA, NIST 800-53, NIST CSF, Reserve Bank of India, Audit Manager Control Tower **and the latest (v1.4.0) CIS benchmarks**.
+475+ checks covering industry defined security best practices across all AWS regions. Includes full support for multiple best practice benchmarks including PCI DSS, AWS Foundational Security, CISA Cyber Essentials, FedRAMP, FFIEC, GxP 21 CFR Part 11, GxP EU Annex 11, HIPAA, NIST 800-53, NIST CSF, Reserve Bank of India, Audit Manager Control Tower **and the latest (v1.4.0) CIS benchmarks**.
Run checks in a dashboard:
@@ -18,6 +18,7 @@ Includes support for:
* [Federal Financial Institutions Examination Council (FFIEC)](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.ffiec)
* [General Data Protection Regulation (GDPR)](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.gdpr)
* [GxP 21 CFR Part 11](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.gxp_21_cfr_part_11)
+* [GxP EU Annex 11](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.gxp_eu_annex_11)
* [HIPAA](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.hipaa)
* [NIST 800-53 Revision 4](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.nist_800_53_rev_4)
* [NIST 800-53 Revision 5](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.nist_800_53_rev_5)
diff --git a/conformance_pack/apigateway.sp b/conformance_pack/apigateway.sp
index 5046640d..431f29b0 100644
--- a/conformance_pack/apigateway.sp
+++ b/conformance_pack/apigateway.sp
@@ -14,6 +14,7 @@ control "apigateway_stage_cache_encryption_at_rest_enabled" {
fedramp_moderate_rev_4 = "true"
gdpr = "true"
gxp_21_cfr_part_11 = "true"
+ gxp_eu_annex_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
diff --git a/conformance_pack/backup.sp b/conformance_pack/backup.sp
index 72a95b50..4f0cd452 100644
--- a/conformance_pack/backup.sp
+++ b/conformance_pack/backup.sp
@@ -12,6 +12,7 @@ control "backup_recovery_point_manual_deletion_disabled" {
tags = merge(local.conformance_pack_backup_common_tags, {
cisa_cyber_essentials = "true"
ffiec = "true"
+ gxp_eu_annex_11 = "true"
hipaa = "true"
nist_800_171_rev_2 = "true"
nist_csf = "true"
@@ -29,6 +30,7 @@ control "backup_plan_min_retention_35_days" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_eu_annex_11 = "true"
hipaa = "true"
nist_800_171_rev_2 = "true"
nist_csf = "true"
@@ -44,6 +46,7 @@ control "backup_recovery_point_encryption_enabled" {
tags = merge(local.conformance_pack_backup_common_tags, {
cisa_cyber_essentials = "true"
ffiec = "true"
+ gxp_eu_annex_11 = "true"
hipaa = "true"
nist_800_171_rev_2 = "true"
nist_csf = "true"
@@ -59,6 +62,7 @@ control "backup_recovery_point_min_retention_35_days" {
tags = merge(local.conformance_pack_backup_common_tags, {
cisa_cyber_essentials = "true"
ffiec = "true"
+ gxp_eu_annex_11 = "true"
nist_800_171_rev_2 = "true"
})
}
diff --git a/conformance_pack/cloudtrail.sp b/conformance_pack/cloudtrail.sp
index fb7d2bf5..4c4cad7c 100644
--- a/conformance_pack/cloudtrail.sp
+++ b/conformance_pack/cloudtrail.sp
@@ -38,6 +38,7 @@ control "cloudtrail_s3_data_events_enabled" {
ffiec = "true"
gdpr = "true"
gxp_21_cfr_part_11 = "true"
+ gxp_eu_annex_11 = "true"
hipaa = "true"
nist_800_171_rev_2 = "true"
nist_800_53_rev_4 = "true"
@@ -59,6 +60,7 @@ control "cloudtrail_trail_logs_encrypted_with_kms_cmk" {
fedramp_moderate_rev_4 = "true"
gdpr = "true"
gxp_21_cfr_part_11 = "true"
+ gxp_eu_annex_11 = "true"
hipaa = "true"
nist_800_171_rev_2 = "true"
nist_800_53_rev_4 = "true"
@@ -119,6 +121,7 @@ control "cloudtrail_trail_enabled" {
fedramp_moderate_rev_4 = "true"
ffiec = "true"
gxp_21_cfr_part_11 = "true"
+ gxp_eu_annex_11 = "true"
hipaa = "true"
nist_800_171_rev_2 = "true"
nist_800_53_rev_4 = "true"
diff --git a/conformance_pack/cloudwatch.sp b/conformance_pack/cloudwatch.sp
index d77491ea..5c13379f 100644
--- a/conformance_pack/cloudwatch.sp
+++ b/conformance_pack/cloudwatch.sp
@@ -33,6 +33,7 @@ control "log_group_encryption_at_rest_enabled" {
fedramp_moderate_rev_4 = "true"
gdpr = "true"
gxp_21_cfr_part_11 = "true"
+ gxp_eu_annex_11 = "true"
hipaa = "true"
nist_800_171_rev_2 = "true"
nist_800_53_rev_4 = "true"
diff --git a/conformance_pack/config.sp b/conformance_pack/config.sp
index 39804a4e..35662f8d 100644
--- a/conformance_pack/config.sp
+++ b/conformance_pack/config.sp
@@ -10,9 +10,10 @@ control "config_enabled_all_regions" {
sql = query.config_enabled_all_regions.sql
tags = merge(local.conformance_pack_config_common_tags, {
- gdpr = "true"
- hipaa = "true"
- nist_csf = "true"
- soc_2 = "true"
+ gdpr = "true"
+ gxp_eu_annex_11 = "true"
+ hipaa = "true"
+ nist_csf = "true"
+ soc_2 = "true"
})
}
diff --git a/conformance_pack/dax.sp b/conformance_pack/dax.sp
index 975b721d..5621bb47 100644
--- a/conformance_pack/dax.sp
+++ b/conformance_pack/dax.sp
@@ -10,7 +10,8 @@ control "dax_cluster_encryption_at_rest_enabled" {
sql = query.dax_cluster_encryption_at_rest_enabled.sql
tags = merge(local.conformance_pack_dax_common_tags, {
- gdpr = "true"
- hipaa = "true"
+ gdpr = "true"
+ gxp_eu_annex_11 = "true"
+ hipaa = "true"
})
}
\ No newline at end of file
diff --git a/conformance_pack/dynamodb.sp b/conformance_pack/dynamodb.sp
index 5ef3fa55..5ef9e4c9 100644
--- a/conformance_pack/dynamodb.sp
+++ b/conformance_pack/dynamodb.sp
@@ -34,6 +34,7 @@ control "dynamodb_table_point_in_time_recovery_enabled" {
fedramp_moderate_rev_4 = "true"
ffiec = "true"
gxp_21_cfr_part_11 = "true"
+ gxp_eu_annex_11 = "true"
hipaa = "true"
nist_800_171_rev_2 = "true"
nist_800_53_rev_4 = "true"
@@ -53,6 +54,7 @@ control "dynamodb_table_encrypted_with_kms" {
cisa_cyber_essentials = "true"
gdpr = "true"
gxp_21_cfr_part_11 = "true"
+ gxp_eu_annex_11 = "true"
hipaa = "true"
nist_800_171_rev_2 = "true"
nist_800_53_rev_4 = "true"
@@ -70,6 +72,7 @@ control "dynamodb_table_in_backup_plan" {
cisa_cyber_essentials = "true"
ffiec = "true"
gxp_21_cfr_part_11 = "true"
+ gxp_eu_annex_11 = "true"
hipaa = "true"
nist_800_171_rev_2 = "true"
nist_800_53_rev_4 = "true"
@@ -86,8 +89,9 @@ control "dynamodb_table_encryption_enabled" {
sql = query.dynamodb_table_encryption_enabled.sql
tags = merge(local.conformance_pack_dynamodb_common_tags, {
- gdpr = "true"
- hipaa = "true"
+ gdpr = "true"
+ gxp_eu_annex_11 = "true"
+ hipaa = "true"
})
}
@@ -100,6 +104,7 @@ control "dynamodb_table_protected_by_backup_plan" {
cisa_cyber_essentials = "true"
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
+ gxp_eu_annex_11 = "true"
hipaa = "true"
nist_800_171_rev_2 = "true"
nist_csf = "true"
diff --git a/conformance_pack/ebs.sp b/conformance_pack/ebs.sp
index b3b2d9d0..5eb02150 100644
--- a/conformance_pack/ebs.sp
+++ b/conformance_pack/ebs.sp
@@ -32,6 +32,7 @@ control "ebs_volume_encryption_at_rest_enabled" {
tags = merge(local.conformance_pack_ebs_common_tags, {
fedramp_moderate_rev_4 = "true"
gdpr = "true"
+ gxp_eu_annex_11 = "true"
hipaa = "true"
nist_800_171_rev_2 = "true"
nist_800_53_rev_5 = "true"
@@ -69,6 +70,7 @@ control "ebs_volume_in_backup_plan" {
cisa_cyber_essentials = "true"
ffiec = "true"
gxp_21_cfr_part_11 = "true"
+ gxp_eu_annex_11 = "true"
hipaa = "true"
nist_800_171_rev_2 = "true"
nist_800_53_rev_4 = "true"
@@ -103,6 +105,7 @@ control "ebs_volume_protected_by_backup_plan" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_eu_annex_11 = "true"
hipaa = "true"
nist_800_171_rev_2 = "true"
nist_csf = "true"
diff --git a/conformance_pack/ec2.sp b/conformance_pack/ec2.sp
index d5fc04f0..14f8dd27 100644
--- a/conformance_pack/ec2.sp
+++ b/conformance_pack/ec2.sp
@@ -13,6 +13,7 @@ control "ec2_ebs_default_encryption_enabled" {
cisa_cyber_essentials = "true"
ffiec = "true"
gxp_21_cfr_part_11 = "true"
+ gxp_eu_annex_11 = "true"
hipaa = "true"
nist_800_171_rev_2 = "true"
nist_800_53_rev_5 = "true"
@@ -104,6 +105,7 @@ control "ec2_instance_ebs_optimized" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
gxp_21_cfr_part_11 = "true"
+ gxp_eu_annex_11 = "true"
hipaa = "true"
nist_800_171_rev_2 = "true"
nist_800_53_rev_5 = "true"
@@ -136,6 +138,7 @@ control "ec2_instance_protected_by_backup_plan" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_eu_annex_11 = "true"
hipaa = "true"
nist_800_171_rev_2 = "true"
nist_csf = "true"
diff --git a/conformance_pack/efs.sp b/conformance_pack/efs.sp
index c4f1b3c3..e71ef920 100644
--- a/conformance_pack/efs.sp
+++ b/conformance_pack/efs.sp
@@ -13,6 +13,7 @@ control "efs_file_system_encrypt_data_at_rest" {
ffiec = "true"
gdpr = "true"
gxp_21_cfr_part_11 = "true"
+ gxp_eu_annex_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -30,6 +31,7 @@ control "efs_file_system_in_backup_plan" {
tags = merge(local.conformance_pack_efs_common_tags, {
ffiec = "true"
gxp_21_cfr_part_11 = "true"
+ gxp_eu_annex_11 = "true"
hipaa = "true"
nist_800_171_rev_2 = "true"
nist_800_53_rev_4 = "true"
@@ -49,6 +51,7 @@ control "efs_file_system_protected_by_backup_plan" {
cisa_cyber_essentials = "true"
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
+ gxp_eu_annex_11 = "true"
hipaa = "true"
nist_800_171_rev_2 = "true"
nist_csf = "true"
diff --git a/conformance_pack/eks.sp b/conformance_pack/eks.sp
index f20d4fbc..1694e014 100644
--- a/conformance_pack/eks.sp
+++ b/conformance_pack/eks.sp
@@ -10,7 +10,8 @@ control "eks_cluster_secrets_encrypted" {
sql = query.eks_cluster_secrets_encrypted.sql
tags = merge(local.conformance_pack_eks_common_tags, {
- hipaa = "true"
+ gxp_eu_annex_11 = "true"
+ hipaa = "true"
})
}
diff --git a/conformance_pack/elasticache.sp b/conformance_pack/elasticache.sp
index c6ede1a5..45c9e573 100644
--- a/conformance_pack/elasticache.sp
+++ b/conformance_pack/elasticache.sp
@@ -15,6 +15,7 @@ control "elasticache_redis_cluster_automatic_backup_retention_15_days" {
fedramp_moderate_rev_4 = "true"
ffiec = "true"
gxp_21_cfr_part_11 = "true"
+ gxp_eu_annex_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
diff --git a/conformance_pack/elb.sp b/conformance_pack/elb.sp
index cfa48347..44bab9c9 100644
--- a/conformance_pack/elb.sp
+++ b/conformance_pack/elb.sp
@@ -150,6 +150,7 @@ control "elb_classic_lb_cross_zone_load_balancing_enabled" {
fedramp_moderate_rev_4 = "true"
ffiec = "true"
gxp_21_cfr_part_11 = "true"
+ gxp_eu_annex_11 = "true"
nist_800_171_rev_2 = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
diff --git a/conformance_pack/es.sp b/conformance_pack/es.sp
index 6a555260..dc3d6b48 100644
--- a/conformance_pack/es.sp
+++ b/conformance_pack/es.sp
@@ -15,6 +15,7 @@ control "es_domain_encryption_at_rest_enabled" {
ffiec = "true"
gdpr = "true"
gxp_21_cfr_part_11 = "true"
+ gxp_eu_annex_11 = "true"
hipaa = "true"
nist_800_171_rev_2 = "true"
nist_800_53_rev_4 = "true"
diff --git a/conformance_pack/fsx.sp b/conformance_pack/fsx.sp
index 5ba1d1ed..858613c0 100644
--- a/conformance_pack/fsx.sp
+++ b/conformance_pack/fsx.sp
@@ -13,6 +13,7 @@ control "fsx_file_system_protected_by_backup_plan" {
cisa_cyber_essentials = "true"
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
+ gxp_eu_annex_11 = "true"
hipaa = "true"
nist_csf = "true"
soc_2 = "true"
diff --git a/conformance_pack/rds.sp b/conformance_pack/rds.sp
index c6627c58..e0c4f564 100644
--- a/conformance_pack/rds.sp
+++ b/conformance_pack/rds.sp
@@ -15,6 +15,7 @@ control "rds_db_instance_backup_enabled" {
fedramp_moderate_rev_4 = "true"
ffiec = "true"
gxp_21_cfr_part_11 = "true"
+ gxp_eu_annex_11 = "true"
hipaa = "true"
nist_800_171_rev_2 = "true"
nist_800_53_rev_4 = "true"
@@ -36,6 +37,7 @@ control "rds_db_instance_encryption_at_rest_enabled" {
ffiec = "true"
gdpr = "true"
gxp_21_cfr_part_11 = "true"
+ gxp_eu_annex_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -96,6 +98,7 @@ control "rds_db_snapshot_encrypted_at_rest" {
fedramp_moderate_rev_4 = "true"
gdpr = "true"
gxp_21_cfr_part_11 = "true"
+ gxp_eu_annex_11 = "true"
hipaa = "true"
nist_800_171_rev_2 = "true"
nist_800_53_rev_4 = "true"
@@ -155,6 +158,7 @@ control "rds_db_instance_in_backup_plan" {
ffiec = "true"
gdpr = "true"
gxp_21_cfr_part_11 = "true"
+ gxp_eu_annex_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -229,6 +233,7 @@ control "rds_db_cluster_aurora_protected_by_backup_plan" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_eu_annex_11 = "true"
hipaa = "true"
nist_csf = "true"
soc_2 = "true"
@@ -244,6 +249,7 @@ control "rds_db_instance_protected_by_backup_plan" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_eu_annex_11 = "true"
hipaa = "true"
nist_800_171_rev_2 = "true"
nist_800_53_rev_5 = "true"
diff --git a/conformance_pack/redshift.sp b/conformance_pack/redshift.sp
index a33b27d8..39857620 100644
--- a/conformance_pack/redshift.sp
+++ b/conformance_pack/redshift.sp
@@ -37,6 +37,7 @@ control "redshift_cluster_encryption_logging_enabled" {
ffiec = "true"
gdpr = "true"
gxp_21_cfr_part_11 = "true"
+ gxp_eu_annex_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -78,6 +79,7 @@ control "redshift_cluster_automatic_snapshots_min_7_days" {
ffiec = "true"
gdpr = "true"
gxp_21_cfr_part_11 = "true"
+ gxp_eu_annex_11 = "true"
hipaa = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
diff --git a/conformance_pack/s3.sp b/conformance_pack/s3.sp
index a72fd7c4..02585770 100644
--- a/conformance_pack/s3.sp
+++ b/conformance_pack/s3.sp
@@ -15,6 +15,7 @@ control "s3_bucket_cross_region_replication_enabled" {
fedramp_moderate_rev_4 = "true"
ffiec = "true"
gxp_21_cfr_part_11 = "true"
+ gxp_eu_annex_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -35,6 +36,7 @@ control "s3_bucket_default_encryption_enabled" {
fedramp_moderate_rev_4 = "true"
gdpr = "true"
gxp_21_cfr_part_11 = "true"
+ gxp_eu_annex_11 = "true"
hipaa = "true"
nist_800_171_rev_2 = "true"
nist_800_53_rev_4 = "true"
@@ -157,6 +159,7 @@ control "s3_bucket_versioning_enabled" {
fedramp_moderate_rev_4 = "true"
ffiec = "true"
gxp_21_cfr_part_11 = "true"
+ gxp_eu_annex_11 = "true"
hipaa = "true"
nist_800_171_rev_2 = "true"
nist_800_53_rev_4 = "true"
@@ -215,6 +218,7 @@ control "s3_bucket_default_encryption_enabled_kms" {
ffiec = "true"
gdpr = "true"
gxp_21_cfr_part_11 = "true"
+ gxp_eu_annex_11 = "true"
hipaa = "true"
nist_800_171_rev_2 = "true"
nist_800_53_rev_5 = "true"
diff --git a/conformance_pack/sagemaker.sp b/conformance_pack/sagemaker.sp
index 52a1bc05..fd6d1a96 100644
--- a/conformance_pack/sagemaker.sp
+++ b/conformance_pack/sagemaker.sp
@@ -35,6 +35,7 @@ control "sagemaker_notebook_instance_encryption_at_rest_enabled" {
fedramp_moderate_rev_4 = "true"
gdpr = "true"
gxp_21_cfr_part_11 = "true"
+ gxp_eu_annex_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -54,6 +55,7 @@ control "sagemaker_endpoint_configuration_encryption_at_rest_enabled" {
fedramp_moderate_rev_4 = "true"
gdpr = "true"
gxp_21_cfr_part_11 = "true"
+ gxp_eu_annex_11 = "true"
hipaa = "true"
nist_800_171_rev_2 = "true"
nist_800_53_rev_4 = "true"
diff --git a/conformance_pack/securityhub.sp b/conformance_pack/securityhub.sp
index 4e790569..ea4a4bab 100644
--- a/conformance_pack/securityhub.sp
+++ b/conformance_pack/securityhub.sp
@@ -15,6 +15,7 @@ control "securityhub_enabled" {
fedramp_moderate_rev_4 = "true"
ffiec = "true"
gxp_21_cfr_part_11 = "true"
+ gxp_eu_annex_11 = "true"
hipaa = "true"
nist_800_171_rev_2 = "true"
nist_800_53_rev_4 = "true"
diff --git a/conformance_pack/sns.sp b/conformance_pack/sns.sp
index 83c28c8f..152da2b0 100644
--- a/conformance_pack/sns.sp
+++ b/conformance_pack/sns.sp
@@ -15,6 +15,7 @@ control "sns_topic_encrypted_at_rest" {
fedramp_moderate_rev_4 = "true"
gdpr = "true"
gxp_21_cfr_part_11 = "true"
+ gxp_eu_annex_11 = "true"
hipaa = "true"
nist_800_171_rev_2 = "true"
nist_800_53_rev_4 = "true"
diff --git a/docs/aws_fsbp_dashboard.png b/docs/aws_fsbp_dashboard.png
new file mode 100644
index 00000000..f315e77c
Binary files /dev/null and b/docs/aws_fsbp_dashboard.png differ
diff --git a/docs/index.md b/docs/index.md
index d6065fbb..e40788b7 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -4,11 +4,12 @@ repository: "https://github.com/turbot/steampipe-mod-aws-compliance"
# AWS Compliance Mod
-Run individual configuration, compliance and security controls or full compliance benchmarks for `Audit Manager Control Tower`, `AWS Foundational Security Best Practices`, `CIS`, `CISA Cyber Essentials`, `FedRAMP`, `FFIEC`, `GDPR`, `GxP 21 CFR Part 11`, `HIPAA`, `NIST 800-53`, `NIST CSF`, `PCI DSS`, `RBI Cyber Security Framework` and `SOC 2` across all your AWS accounts.
+Run individual configuration, compliance and security controls or full compliance benchmarks for `Audit Manager Control Tower`, `AWS Foundational Security Best Practices`, `CIS`, `CISA Cyber Essentials`, `FedRAMP`, `FFIEC`, `GDPR`, `GxP 21 CFR Part 11`, `GxP EU Annex 11`, `HIPAA`, `NIST 800-53`, `NIST CSF`, `PCI DSS`, `RBI Cyber Security Framework` and `SOC 2` across all your AWS accounts.
+
## References
@@ -30,6 +31,8 @@ Run individual configuration, compliance and security controls or full complianc
[GxP 21 CFR Part 11](https://www.ecfr.gov/current/title-21/chapter-I/subchapter-A/part-11?toc=1) includes details for the criteria under which electronic records and signatures are considered trustworthy and equivalent to paper records and ensures the integrity of data used to make product-related safety decisions.
+[GxP EU Annex 11](https://health.ec.europa.eu/system/files/2016-11/annex11_01-2011_en_0.pdf.) includes a prebuilt collection of controls with descriptions and testing procedures where controls are grouped into control sets according to GxP requirements.
+
[HIPAA Compliance](https://aws.amazon.com/compliance/hipaa-compliance/) provides a set of general-purpose security standards for the U.S. Health Insurance Portability and Accountability Act (HIPAA).
[NIST 800-53](https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final) provides minimum baselines of security controls for U.S. federal information systems except those related to national security.
diff --git a/gxp_eu_annex_11/docs/gxp_eu_annex_11_overview.md b/gxp_eu_annex_11/docs/gxp_eu_annex_11_overview.md
new file mode 100644
index 00000000..68d648b7
--- /dev/null
+++ b/gxp_eu_annex_11/docs/gxp_eu_annex_11_overview.md
@@ -0,0 +1,5 @@
+To obtain the latest version of the official guide, please visit https://health.ec.europa.eu/system/files/2016-11/annex11_01-2011_en_0.pdf.
+
+## Overview
+
+EU Annex 11 is the European equivalent to FDA 21 CFR part 11 for the United States. This annex applies to all forms of computerized systems used as part of a GMP regulated activities. A computerized system is a set of software and hardware components which together fulfill certain functionalities. The application should be validated; IT infrastructure should be qualified. Where a computerized system replaces a manual operation, there should be no resultant decrease in product quality, process control or quality assurance. There should be no increase in the overall risk of the process.
diff --git a/gxp_eu_annex_11/general.sp b/gxp_eu_annex_11/general.sp
new file mode 100644
index 00000000..1e1c80ea
--- /dev/null
+++ b/gxp_eu_annex_11/general.sp
@@ -0,0 +1,20 @@
+benchmark "gxp_eu_annex_11_general" {
+ title = "General"
+ description = "This section focuses on more human oriented checks that leverages risk management, personnel verification of process owners, suppliers and service providers agreement reviews, supplier audit and review documentation for COTS."
+ children = [
+ benchmark.gxp_eu_annex_11_general_1
+ ]
+
+ tags = local.gxp_eu_annex_11_common_tags
+}
+
+benchmark "gxp_eu_annex_11_general_1" {
+ title = "1 Risk Management"
+ description = "Risk management should be applied throughout the lifecycle of the computerised system taking into account patient safety, data integrity and product quality. As part of a risk management system, decisions on the extent of validation and data integrity controls should be based on a justified and documented risk assessment of the computerised system."
+ children = [
+ control.cloudtrail_trail_enabled,
+ control.securityhub_enabled
+ ]
+
+ tags = local.gxp_eu_annex_11_common_tags
+}
diff --git a/gxp_eu_annex_11/gxp_eu_annex_11.sp b/gxp_eu_annex_11/gxp_eu_annex_11.sp
new file mode 100644
index 00000000..2953fe55
--- /dev/null
+++ b/gxp_eu_annex_11/gxp_eu_annex_11.sp
@@ -0,0 +1,19 @@
+locals {
+ gxp_eu_annex_11_common_tags = merge(local.aws_compliance_common_tags, {
+ gxp_eu_annex_11 = "true"
+ type = "Benchmark"
+ })
+}
+
+benchmark "gxp_eu_annex_11" {
+ title = "GxP EU Annex 11"
+ description = "EU Annex 11 is the European equivalent to FDA 21 CFR part 11 for the United States. This annex applies to all forms of computerized systems used as part of a GMP regulated activities. A computerized system is a set of software and hardware components which together fulfill certain functionalities. The application should be validated; IT infrastructure should be qualified. Where a computerized system replaces a manual operation, there should be no resultant decrease in product quality, process control or quality assurance. There should be no increase in the overall risk of the process."
+ documentation = file("./gxp_eu_annex_11/docs/gxp_eu_annex_11_overview.md")
+ children = [
+ benchmark.gxp_eu_annex_11_general,
+ benchmark.gxp_eu_annex_11_operational_phase,
+ benchmark.gxp_eu_annex_11_project_phase
+ ]
+
+ tags = local.gxp_eu_annex_11_common_tags
+}
\ No newline at end of file
diff --git a/gxp_eu_annex_11/operational_phase.sp b/gxp_eu_annex_11/operational_phase.sp
new file mode 100644
index 00000000..13f54d2b
--- /dev/null
+++ b/gxp_eu_annex_11/operational_phase.sp
@@ -0,0 +1,221 @@
+benchmark "gxp_eu_annex_11_operational_phase" {
+ title = "Operational Phase"
+ description = "This section focuses on various operational phases of data, such as data accuracy, secure storage, authorized access and backup."
+ children = [
+ benchmark.gxp_eu_annex_11_operational_phase_5,
+ benchmark.gxp_eu_annex_11_operational_phase_7_1,
+ benchmark.gxp_eu_annex_11_operational_phase_7_2,
+ benchmark.gxp_eu_annex_11_operational_phase_8_2,
+ benchmark.gxp_eu_annex_11_operational_phase_9,
+ benchmark.gxp_eu_annex_11_operational_phase_10,
+ benchmark.gxp_eu_annex_11_operational_phase_12_4,
+ benchmark.gxp_eu_annex_11_operational_phase_16,
+ benchmark.gxp_eu_annex_11_operational_phase_17
+ ]
+
+ tags = local.gxp_eu_annex_11_common_tags
+}
+
+benchmark "gxp_eu_annex_11_operational_phase_5" {
+ title = "5 Data"
+ description = "Computerised systems exchanging data electronically with other systems should include appropriate built-in checks for the correct and secure entry and processing of data, in order to minimize the risks."
+ children = [
+ control.backup_plan_min_retention_35_days,
+ control.backup_recovery_point_encryption_enabled,
+ control.backup_recovery_point_manual_deletion_disabled,
+ control.backup_recovery_point_min_retention_35_days,
+ control.dynamodb_table_in_backup_plan,
+ control.dynamodb_table_point_in_time_recovery_enabled,
+ control.dynamodb_table_protected_by_backup_plan,
+ control.ebs_volume_in_backup_plan,
+ control.ebs_volume_protected_by_backup_plan,
+ control.ec2_instance_ebs_optimized,
+ control.ec2_instance_protected_by_backup_plan,
+ control.efs_file_system_in_backup_plan,
+ control.efs_file_system_protected_by_backup_plan,
+ control.elasticache_redis_cluster_automatic_backup_retention_15_days,
+ control.fsx_file_system_protected_by_backup_plan,
+ control.rds_db_cluster_aurora_protected_by_backup_plan,
+ control.rds_db_instance_backup_enabled,
+ control.rds_db_instance_in_backup_plan,
+ control.rds_db_instance_protected_by_backup_plan,
+ control.redshift_cluster_automatic_snapshots_min_7_days,
+ control.s3_bucket_cross_region_replication_enabled,
+ control.s3_bucket_versioning_enabled
+ ]
+
+ tags = local.gxp_eu_annex_11_common_tags
+}
+
+benchmark "gxp_eu_annex_11_operational_phase_7_1" {
+ title = "7.1 Data Storage - Damage Protection"
+ description = "Data should be secured by both physical and electronic means against damage. Stored data should be checked for accessibility, readability and accuracy. Access to data should be ensured throughout the retention period."
+ children = [
+ control.apigateway_stage_cache_encryption_at_rest_enabled,
+ control.cloudtrail_trail_logs_encrypted_with_kms_cmk,
+ control.dax_cluster_encryption_at_rest_enabled,
+ control.dynamodb_table_encrypted_with_kms,
+ control.dynamodb_table_encryption_enabled,
+ control.dynamodb_table_in_backup_plan,
+ control.dynamodb_table_point_in_time_recovery_enabled,
+ control.ebs_volume_encryption_at_rest_enabled,
+ control.ebs_volume_in_backup_plan,
+ control.ec2_ebs_default_encryption_enabled,
+ control.ec2_instance_ebs_optimized,
+ control.efs_file_system_encrypt_data_at_rest,
+ control.efs_file_system_in_backup_plan,
+ control.eks_cluster_secrets_encrypted,
+ control.elasticache_redis_cluster_automatic_backup_retention_15_days,
+ control.es_domain_encryption_at_rest_enabled,
+ control.log_group_encryption_at_rest_enabled,
+ control.rds_db_instance_backup_enabled,
+ control.rds_db_instance_encryption_at_rest_enabled,
+ control.rds_db_instance_in_backup_plan,
+ control.rds_db_snapshot_encrypted_at_rest,
+ control.redshift_cluster_automatic_snapshots_min_7_days,
+ control.redshift_cluster_encryption_logging_enabled,
+ control.s3_bucket_cross_region_replication_enabled,
+ control.s3_bucket_default_encryption_enabled_kms,
+ control.s3_bucket_default_encryption_enabled,
+ control.s3_bucket_versioning_enabled,
+ control.sagemaker_endpoint_configuration_encryption_at_rest_enabled,
+ control.sagemaker_notebook_instance_encryption_at_rest_enabled,
+ control.sns_topic_encrypted_at_rest
+ ]
+
+ tags = local.gxp_eu_annex_11_common_tags
+}
+
+benchmark "gxp_eu_annex_11_operational_phase_7_2" {
+ title = "7.2 Data Storage - Backups"
+ description = "Regular back-ups of all relevant data should be done. Integrity and accuracy of backup data and the ability to restore the data should be checked during validation and monitored periodically."
+ children = [
+ control.rds_db_instance_backup_enabled,
+ control.backup_plan_min_retention_35_days,
+ control.backup_recovery_point_encryption_enabled,
+ control.backup_recovery_point_manual_deletion_disabled,
+ control.backup_recovery_point_min_retention_35_days,
+ control.dynamodb_table_in_backup_plan,
+ control.dynamodb_table_point_in_time_recovery_enabled,
+ control.dynamodb_table_protected_by_backup_plan,
+ control.ebs_volume_in_backup_plan,
+ control.ebs_volume_protected_by_backup_plan,
+ control.ec2_instance_ebs_optimized,
+ control.ec2_instance_protected_by_backup_plan,
+ control.efs_file_system_in_backup_plan,
+ control.efs_file_system_protected_by_backup_plan,
+ control.elasticache_redis_cluster_automatic_backup_retention_15_days,
+ control.fsx_file_system_protected_by_backup_plan,
+ control.rds_db_cluster_aurora_protected_by_backup_plan,
+ control.rds_db_instance_in_backup_plan,
+ control.rds_db_instance_protected_by_backup_plan,
+ control.redshift_cluster_automatic_snapshots_min_7_days,
+ control.s3_bucket_cross_region_replication_enabled,
+ control.s3_bucket_versioning_enabled
+ ]
+
+ tags = local.gxp_eu_annex_11_common_tags
+}
+
+benchmark "gxp_eu_annex_11_operational_phase_8_2" {
+ title = "8.2 Printouts - Data Changes"
+ description = "For records supporting batch release it should be possible to generate printouts indicating if any of the data has been changed since the original entry."
+ children = [
+ control.cloudtrail_s3_data_events_enabled
+ ]
+
+ tags = local.gxp_eu_annex_11_common_tags
+}
+
+benchmark "gxp_eu_annex_11_operational_phase_9" {
+ title = "9 Audit Trails"
+ description = "Consideration should be given, based on a risk assessment, to building into the system the creation of a record of all GMP-relevant changes and deletions (a system generated 'audit trail'). For change or deletion of GMP-relevant data the reason should be documented. Audit trails need to be available and convertible to a generally intelligible form and regularly reviewed."
+ children = [
+ control.cloudtrail_s3_data_events_enabled
+ ]
+
+ tags = local.gxp_eu_annex_11_common_tags
+}
+
+benchmark "gxp_eu_annex_11_operational_phase_10" {
+ title = "10 Change and Configuration Management"
+ description = "Any changes to a computerised system including system configurations should only be made in a controlled manner in accordance with a defined procedure."
+ children = [
+ control.config_enabled_all_regions
+ ]
+
+ tags = local.gxp_eu_annex_11_common_tags
+}
+
+benchmark "gxp_eu_annex_11_operational_phase_12_4" {
+ title = "12.4 Security - Audit Trail"
+ description = "Management systems for data and for documents should be designed to record the identity of operators entering, changing, confirming or deleting data including date and time."
+ children = [
+ control.cloudtrail_s3_data_events_enabled
+ ]
+
+ tags = local.gxp_eu_annex_11_common_tags
+}
+
+benchmark "gxp_eu_annex_11_operational_phase_16" {
+ title = "16 Business Continuity"
+ description = "For the availability of computerised systems supporting critical processes, provisions should be made to ensure continuity of support for those processes in the event of a system breakdown (e.g. a manual or alternative system). The time required to bring the alternative arrangements into use should be based on risk and appropriate for a particular system and the business process it supports. These arrangements should be adequately documented and tested."
+ children = [
+ control.backup_plan_min_retention_35_days,
+ control.backup_recovery_point_encryption_enabled,
+ control.backup_recovery_point_manual_deletion_disabled,
+ control.backup_recovery_point_min_retention_35_days,
+ control.dynamodb_table_in_backup_plan,
+ control.dynamodb_table_point_in_time_recovery_enabled,
+ control.dynamodb_table_protected_by_backup_plan,
+ control.ebs_volume_in_backup_plan,
+ control.ebs_volume_protected_by_backup_plan,
+ control.ec2_instance_ebs_optimized,
+ control.ec2_instance_protected_by_backup_plan,
+ control.efs_file_system_in_backup_plan,
+ control.efs_file_system_protected_by_backup_plan,
+ control.elasticache_redis_cluster_automatic_backup_retention_15_days,
+ control.elb_classic_lb_cross_zone_load_balancing_enabled,
+ control.fsx_file_system_protected_by_backup_plan,
+ control.rds_db_cluster_aurora_protected_by_backup_plan,
+ control.rds_db_instance_backup_enabled,
+ control.rds_db_instance_in_backup_plan,
+ control.rds_db_instance_protected_by_backup_plan,
+ control.redshift_cluster_automatic_snapshots_min_7_days,
+ control.s3_bucket_cross_region_replication_enabled,
+ control.s3_bucket_versioning_enabled
+ ]
+
+ tags = local.gxp_eu_annex_11_common_tags
+}
+
+benchmark "gxp_eu_annex_11_operational_phase_17" {
+ title = "17 Archiving"
+ description = "Data may be archived. This data should be checked for accessibility, readability and integrity. If relevant changes are to be made to the system (e.g. computer equipment or programs), then the ability to retrieve the data should be ensured and tested."
+ children = [
+ control.backup_plan_min_retention_35_days,
+ control.backup_recovery_point_encryption_enabled,
+ control.backup_recovery_point_manual_deletion_disabled,
+ control.backup_recovery_point_min_retention_35_days,
+ control.dynamodb_table_in_backup_plan,
+ control.dynamodb_table_point_in_time_recovery_enabled,
+ control.dynamodb_table_protected_by_backup_plan,
+ control.ebs_volume_in_backup_plan,
+ control.ebs_volume_protected_by_backup_plan,
+ control.ec2_instance_ebs_optimized,
+ control.ec2_instance_protected_by_backup_plan,
+ control.efs_file_system_in_backup_plan,
+ control.efs_file_system_protected_by_backup_plan,
+ control.elasticache_redis_cluster_automatic_backup_retention_15_days,
+ control.fsx_file_system_protected_by_backup_plan,
+ control.rds_db_cluster_aurora_protected_by_backup_plan,
+ control.rds_db_instance_backup_enabled,
+ control.rds_db_instance_in_backup_plan,
+ control.rds_db_instance_protected_by_backup_plan,
+ control.redshift_cluster_automatic_snapshots_min_7_days,
+ control.s3_bucket_cross_region_replication_enabled,
+ control.s3_bucket_versioning_enabled
+ ]
+
+ tags = local.gxp_eu_annex_11_common_tags
+}
\ No newline at end of file
diff --git a/gxp_eu_annex_11/project_phase.sp b/gxp_eu_annex_11/project_phase.sp
new file mode 100644
index 00000000..37b74065
--- /dev/null
+++ b/gxp_eu_annex_11/project_phase.sp
@@ -0,0 +1,73 @@
+benchmark "gxp_eu_annex_11_project_phase" {
+ title = "Project Phase"
+ description = "This section focuses combination of both human-oriented and automated process that leverages documentation validation and reports for good manufacturing practice (GMP) life cycle process, change control and deviations, systems inventory, user requirement specifications, quality management system, procedure for customized systems, evidence of appropriate test methods and data transfer validation (automated)."
+ children = [
+ benchmark.gxp_eu_annex_11_project_phase_4_2,
+ benchmark.gxp_eu_annex_11_project_phase_4_5,
+ benchmark.gxp_eu_annex_11_project_phase_4_6,
+ benchmark.gxp_eu_annex_11_project_phase_4_8,
+ ]
+
+ tags = local.gxp_eu_annex_11_common_tags
+}
+
+benchmark "gxp_eu_annex_11_project_phase_4_2" {
+ title = "4.2 Validation - Documentation Change Control"
+ description = "Validation documentation should include change control records (if applicable) and reports on any deviations observed during the validation process."
+ children = [
+ control.cloudtrail_trail_enabled
+ ]
+
+ tags = local.gxp_eu_annex_11_common_tags
+}
+
+benchmark "gxp_eu_annex_11_project_phase_4_5" {
+ title = "4.5 Validation - Development Quality"
+ description = "The regulated user should take all reasonable steps, to ensure that the system has been developed in accordance with an appropriate quality management system. The supplier should be assessed appropriately."
+ children = [
+ control.config_enabled_all_regions
+ ]
+
+ tags = local.gxp_eu_annex_11_common_tags
+}
+
+benchmark "gxp_eu_annex_11_project_phase_4_6" {
+ title = "4.6 Validation - Quality and Performance"
+ description = "For the validation of bespoke or customised computerised systems there should be a process in place that ensures the formal assessment and reporting of quality and performance measures for all the life-cycle stages of the system."
+ children = [
+ control.config_enabled_all_regions
+ ]
+
+ tags = local.gxp_eu_annex_11_common_tags
+}
+
+benchmark "gxp_eu_annex_11_project_phase_4_8" {
+ title = "4.8 Validation - Data Transfer"
+ description = "If data are transferred to another data format or system, validation should include checks that data are not altered in value and/or meaning during this migration process."
+ children = [
+ control.backup_plan_min_retention_35_days,
+ control.backup_recovery_point_encryption_enabled,
+ control.backup_recovery_point_manual_deletion_disabled,
+ control.backup_recovery_point_min_retention_35_days,
+ control.dynamodb_table_in_backup_plan,
+ control.dynamodb_table_point_in_time_recovery_enabled,
+ control.dynamodb_table_protected_by_backup_plan,
+ control.ebs_volume_in_backup_plan,
+ control.ebs_volume_protected_by_backup_plan,
+ control.ec2_instance_ebs_optimized,
+ control.ec2_instance_protected_by_backup_plan,
+ control.efs_file_system_in_backup_plan,
+ control.efs_file_system_protected_by_backup_plan,
+ control.elasticache_redis_cluster_automatic_backup_retention_15_days,
+ control.fsx_file_system_protected_by_backup_plan,
+ control.rds_db_cluster_aurora_protected_by_backup_plan,
+ control.rds_db_instance_backup_enabled,
+ control.rds_db_instance_in_backup_plan,
+ control.rds_db_instance_protected_by_backup_plan,
+ control.redshift_cluster_automatic_snapshots_min_7_days,
+ control.s3_bucket_cross_region_replication_enabled,
+ control.s3_bucket_versioning_enabled
+ ]
+
+ tags = local.gxp_eu_annex_11_common_tags
+}
diff --git a/mod.sp b/mod.sp
index 69a92a21..49b940cc 100644
--- a/mod.sp
+++ b/mod.sp
@@ -10,7 +10,7 @@ locals {
mod "aws_compliance" {
# hub metadata
title = "AWS Compliance"
- description = "Run individual configuration, compliance and security controls or full compliance benchmarks for CIS, FFIEC, PCI, NIST, HIPAA, RBI CSF, GDPR, SOC 2, Audit Manager Control Tower and AWS Foundational Security Best Practices controls across all your AWS accounts using Steampipe."
+ description = "Run individual configuration, compliance and security controls or full compliance benchmarks for CIS, FFIEC, PCI, NIST, HIPAA, RBI CSF, GDPR, SOC 2, Audit Manager Control Tower, FedRAMP, GxP and AWS Foundational Security Best Practices controls across all your AWS accounts using Steampipe."
color = "#FF9900"
documentation = file("./docs/index.md")
icon = "/images/mods/turbot/aws-compliance.svg"
@@ -18,7 +18,7 @@ mod "aws_compliance" {
opengraph {
title = "Steampipe Mod for AWS Compliance"
- description = "Run individual configuration, compliance and security controls or full compliance benchmarks for CIS, PCI, NIST, HIPAA, RBI CSF, GDPR, SOC 2, Audit Manager Control Tower and AWS Foundational Security Best Practices controls across all your AWS accounts using Steampipe."
+ description = "Run individual configuration, compliance and security controls or full compliance benchmarks for CIS, FFIEC, PCI, NIST, HIPAA, RBI CSF, GDPR, SOC 2, Audit Manager Control Tower, FedRAMP, GxP and AWS Foundational Security Best Practices controls across all your AWS accounts using Steampipe."
image = "/images/mods/turbot/aws-compliance-social-graphic.png"
}