diff --git a/README.md b/README.md index 63f8b926..c3a9baac 100644 --- a/README.md +++ b/README.md @@ -15,8 +15,9 @@ Includes support for: * [FedRAMP Low Revision 4](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.fedramp_low_rev_4) * [FedRAMP Moderate Revision 4](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.fedramp_moderate_rev_4) * [HIPAA](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.hipaa) -* [General Data Protection Regulation (GDPR)](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.gdpr) 🚀 New! +* [General Data Protection Regulation (GDPR)](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.gdpr) * [NIST 800-53 Revision 4](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.nist_800_53_rev_4) +* [NIST 800-53 Revision 5](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.nist_800_53_rev_5) 🚀 New! * [NIST Cybersecurity Framework (CSF)](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.nist_csf) * [PCI DSS v3.2.1](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.pci_v321) * [AWS Foundational Security Best Practices](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.foundational_security) diff --git a/conformance_pack/acm.sp b/conformance_pack/acm.sp index a4f9172f..dca806c2 100644 --- a/conformance_pack/acm.sp +++ b/conformance_pack/acm.sp @@ -15,6 +15,7 @@ control "acm_certificate_expires_30_days" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" diff --git a/conformance_pack/apigateway.sp b/conformance_pack/apigateway.sp index f398f3be..ebcc16c6 100644 --- a/conformance_pack/apigateway.sp +++ b/conformance_pack/apigateway.sp @@ -14,6 +14,7 @@ control "apigateway_stage_cache_encryption_at_rest_enabled" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) @@ -29,6 +30,7 @@ control "apigateway_stage_logging_enabled" { fedramp_moderate_rev_4 = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" @@ -42,6 +44,7 @@ control "apigateway_rest_api_stage_use_ssl_certificate" { tags = merge(local.conformance_pack_apigateway_common_tags, { fedramp_moderate_rev_4 = "true" + nist_800_53_rev_5 = "true" rbi_cyber_security = "true" }) } @@ -54,6 +57,7 @@ control "apigateway_stage_use_waf_web_acl" { tags = merge(local.conformance_pack_apigateway_common_tags, { fedramp_low_rev_4 = "true" fedramp_moderate_rev_4 = "true" + nist_800_53_rev_5 = "true" rbi_cyber_security = "true" }) } \ No newline at end of file diff --git a/conformance_pack/autoscaling.sp b/conformance_pack/autoscaling.sp index af6292f4..d56ba1ec 100644 --- a/conformance_pack/autoscaling.sp +++ b/conformance_pack/autoscaling.sp @@ -14,6 +14,7 @@ control "autoscaling_group_with_lb_use_health_check" { fedramp_moderate_rev_4 = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" }) } @@ -26,6 +27,7 @@ control "autoscaling_launch_config_public_ip_disabled" { tags = merge(local.conformance_pack_autoscaling_common_tags, { fedramp_low_rev_4 = "true" fedramp_moderate_rev_4 = "true" + nist_800_53_rev_5 = "true" rbi_cyber_security = "true" }) } \ No newline at end of file diff --git a/conformance_pack/cloudtrail.sp b/conformance_pack/cloudtrail.sp index 9e746165..d37c835e 100644 --- a/conformance_pack/cloudtrail.sp +++ b/conformance_pack/cloudtrail.sp @@ -15,6 +15,7 @@ control "cloudtrail_trail_integrated_with_logs" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" @@ -32,6 +33,7 @@ control "cloudtrail_s3_data_events_enabled" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" @@ -49,6 +51,7 @@ control "cloudtrail_trail_logs_encrypted_with_kms_cmk" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) @@ -64,6 +67,7 @@ control "cloudtrail_multi_region_trail_enabled" { fedramp_moderate_rev_4 = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" @@ -81,6 +85,7 @@ control "cloudtrail_trail_validation_enabled" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" soc_2 = "true" }) } @@ -95,6 +100,7 @@ control "cloudtrail_trail_enabled" { fedramp_moderate_rev_4 = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" diff --git a/conformance_pack/cloudwatch.sp b/conformance_pack/cloudwatch.sp index a0534869..31bb1d1e 100644 --- a/conformance_pack/cloudwatch.sp +++ b/conformance_pack/cloudwatch.sp @@ -14,6 +14,7 @@ control "cloudwatch_alarm_action_enabled" { fedramp_moderate_rev_4 = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" soc_2 = "true" }) @@ -30,6 +31,7 @@ control "log_group_encryption_at_rest_enabled" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" @@ -46,6 +48,7 @@ control "cloudwatch_log_group_retention_period_365" { fedramp_moderate_rev_4 = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" rbi_cyber_security = "true" soc_2 = "true" }) diff --git a/conformance_pack/dms.sp b/conformance_pack/dms.sp index cbea7b34..a9e650a6 100644 --- a/conformance_pack/dms.sp +++ b/conformance_pack/dms.sp @@ -14,6 +14,7 @@ control "dms_replication_instance_not_publicly_accessible" { fedramp_moderate_rev_4 = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) diff --git a/conformance_pack/dynamodb.sp b/conformance_pack/dynamodb.sp index 188843cf..b0fc814b 100644 --- a/conformance_pack/dynamodb.sp +++ b/conformance_pack/dynamodb.sp @@ -14,6 +14,7 @@ control "dynamodb_table_auto_scaling_enabled" { fedramp_moderate_rev_4 = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" }) } @@ -28,6 +29,7 @@ control "dynamodb_table_point_in_time_recovery_enabled" { fedramp_moderate_rev_4 = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" @@ -43,6 +45,7 @@ control "dynamodb_table_encrypted_with_kms_cmk" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" rbi_cyber_security = "true" }) } @@ -55,6 +58,7 @@ control "dynamodb_table_in_backup_plan" { tags = merge(local.conformance_pack_dynamodb_common_tags, { hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" diff --git a/conformance_pack/ebs.sp b/conformance_pack/ebs.sp index 95724d48..9ccf4d06 100644 --- a/conformance_pack/ebs.sp +++ b/conformance_pack/ebs.sp @@ -14,6 +14,7 @@ control "ebs_snapshot_not_publicly_restorable" { fedramp_moderate_rev_4 = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) @@ -26,7 +27,9 @@ control "ebs_volume_encryption_at_rest_enabled" { tags = merge(local.conformance_pack_ebs_common_tags, { fedramp_moderate_rev_4 = "true" + gdpr = "true" hipaa = "true" + nist_800_53_rev_5 = "true" rbi_cyber_security = "true" }) } @@ -42,6 +45,7 @@ control "ebs_attached_volume_encryption_enabled" { hipaa = "true" gdpr = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) @@ -55,6 +59,7 @@ control "ebs_volume_in_backup_plan" { tags = merge(local.conformance_pack_ebs_common_tags, { hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" @@ -97,5 +102,6 @@ control "ebs_volume_unsued" { tags = merge(local.conformance_pack_ebs_common_tags, { fedramp_low_rev_4 = "true" fedramp_moderate_rev_4 = "true" + nist_800_53_rev_5 = "true" }) } diff --git a/conformance_pack/ec2.sp b/conformance_pack/ec2.sp index 37d22b90..5b08d93f 100644 --- a/conformance_pack/ec2.sp +++ b/conformance_pack/ec2.sp @@ -10,7 +10,8 @@ control "ec2_ebs_default_encryption_enabled" { sql = query.ec2_ebs_default_encryption_enabled.sql tags = merge(local.conformance_pack_ec2_common_tags, { - hipaa = "true" + hipaa = "true" + nist_800_53_rev_5 = "true" }) } @@ -38,6 +39,7 @@ control "ec2_instance_in_vpc" { fedramp_moderate_rev_4 = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) @@ -53,6 +55,7 @@ control "ec2_instance_not_publicly_accessible" { fedramp_moderate_rev_4 = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" @@ -69,6 +72,7 @@ control "ec2_stopped_instance_30_days" { fedramp_moderate_rev_4 = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" }) } @@ -83,6 +87,7 @@ control "ec2_instance_ebs_optimized" { fedramp_moderate_rev_4 = "true" hipaa = "true" nist_csf = "true" + nist_800_53_rev_5 = "true" soc_2 = "true" }) } @@ -96,6 +101,7 @@ control "ec2_instance_uses_imdsv2" { fedramp_low_rev_4 = "true" fedramp_moderate_rev_4 = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" }) } @@ -112,3 +118,13 @@ control "ec2_instance_protected_by_backup_plan" { soc_2 = "true" }) } + +control "ec2_instance_iam_profile_attached" { + title = "EC2 instances should have IAM profile attached" + description = "Ensure if an Amazon Elastic Compute Cloud (Amazon EC2) instance has an Identity and Access Management (IAM) profile attached to it. This rule is non compliant if no IAM profile is attached to the Amazon EC2 instance." + sql = query.ec2_instance_iam_profile_attached.sql + + tags = merge(local.conformance_pack_ec2_common_tags, { + nist_800_53_rev_5 = "true" + }) +} diff --git a/conformance_pack/ecs.sp b/conformance_pack/ecs.sp index 91bd448f..0a6e9707 100644 --- a/conformance_pack/ecs.sp +++ b/conformance_pack/ecs.sp @@ -12,5 +12,6 @@ control "ecs_task_definition_user_for_host_mode_check" { tags = merge(local.conformance_pack_ecs_common_tags, { fedramp_low_rev_4 = "true" fedramp_moderate_rev_4 = "true" + nist_800_53_rev_5 = "true" }) } diff --git a/conformance_pack/efs.sp b/conformance_pack/efs.sp index 55ae3e99..8a10a5e4 100644 --- a/conformance_pack/efs.sp +++ b/conformance_pack/efs.sp @@ -13,6 +13,7 @@ control "efs_file_system_encrypt_data_at_rest" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) @@ -26,6 +27,7 @@ control "efs_file_system_in_backup_plan" { tags = merge(local.conformance_pack_efs_common_tags, { hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" diff --git a/conformance_pack/elasticache.sp b/conformance_pack/elasticache.sp index 761e96ef..aea674d3 100644 --- a/conformance_pack/elasticache.sp +++ b/conformance_pack/elasticache.sp @@ -14,6 +14,7 @@ control "elasticache_redis_cluster_automatic_backup_retention_15_days" { fedramp_moderate_rev_4 = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" diff --git a/conformance_pack/elasticbeanstalk.sp b/conformance_pack/elasticbeanstalk.sp index 08b86524..4b810146 100644 --- a/conformance_pack/elasticbeanstalk.sp +++ b/conformance_pack/elasticbeanstalk.sp @@ -12,5 +12,6 @@ control "elastic_beanstalk_enhanced_health_reporting_enabled" { tags = merge(local.conformance_pack_elasticbeanstalk_common_tags, { fedramp_low_rev_4 = "true" fedramp_moderate_rev_4 = "true" + nist_800_53_rev_5 = "true" }) } \ No newline at end of file diff --git a/conformance_pack/elb.sp b/conformance_pack/elb.sp index 74b402ad..018a8769 100644 --- a/conformance_pack/elb.sp +++ b/conformance_pack/elb.sp @@ -15,6 +15,7 @@ control "elb_application_classic_lb_logging_enabled" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" @@ -31,6 +32,7 @@ control "elb_application_lb_deletion_protection_enabled" { fedramp_moderate_rev_4 = "true" hipaa = "true" nist_csf = "true" + nist_800_53_rev_5 = "true" }) } @@ -45,6 +47,7 @@ control "elb_application_lb_redirect_http_request_to_https" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) @@ -59,6 +62,7 @@ control "elb_application_lb_waf_enabled" { fedramp_low_rev_4 = "true" fedramp_moderate_rev_4 = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) @@ -75,6 +79,7 @@ control "elb_classic_lb_use_ssl_certificate" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) @@ -102,6 +107,7 @@ control "elb_classic_lb_use_tls_https_listeners" { tags = merge(local.conformance_pack_elb_common_tags, { fedramp_low_rev_4 = "true" fedramp_moderate_rev_4 = "true" + nist_800_53_rev_5 = "true" hipaa = "true" gdpr = "true" nist_800_53_rev_4 = "true" @@ -117,6 +123,7 @@ control "elb_classic_lb_cross_zone_load_balancing_enabled" { tags = merge(local.conformance_pack_elb_common_tags, { fedramp_low_rev_4 = "true" fedramp_moderate_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_800_53_rev_4 = "true" nist_csf = "true" }) @@ -129,6 +136,7 @@ control "elb_application_network_lb_use_ssl_certificate" { tags = merge(local.conformance_pack_elb_common_tags, { fedramp_moderate_rev_4 = "true" + nist_800_53_rev_5 = "true" rbi_cyber_security = "true" }) } \ No newline at end of file diff --git a/conformance_pack/emr.sp b/conformance_pack/emr.sp index 44ea2dda..de07c348 100644 --- a/conformance_pack/emr.sp +++ b/conformance_pack/emr.sp @@ -26,6 +26,7 @@ control "emr_cluster_master_nodes_no_public_ip" { fedramp_moderate_rev_4 = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) diff --git a/conformance_pack/es.sp b/conformance_pack/es.sp index 9a27e729..5922f000 100644 --- a/conformance_pack/es.sp +++ b/conformance_pack/es.sp @@ -14,6 +14,7 @@ control "es_domain_encryption_at_rest_enabled" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) @@ -29,6 +30,7 @@ control "es_domain_in_vpc" { fedramp_moderate_rev_4 = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) @@ -45,6 +47,7 @@ control "es_domain_node_to_node_encryption_enabled" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" rbi_cyber_security = "true" }) } @@ -57,6 +60,7 @@ control "es_domain_logs_to_cloudwatch" { tags = merge(local.conformance_pack_es_common_tags, { fedramp_low_rev_4 = "true" fedramp_moderate_rev_4 = "true" + nist_800_53_rev_5 = "true" rbi_cyber_security = "true" }) } \ No newline at end of file diff --git a/conformance_pack/guardduty.sp b/conformance_pack/guardduty.sp index 6a82d678..78d37899 100644 --- a/conformance_pack/guardduty.sp +++ b/conformance_pack/guardduty.sp @@ -14,6 +14,7 @@ control "guardduty_enabled" { fedramp_moderate_rev_4 = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" soc_2 = "true" }) @@ -29,6 +30,7 @@ control "guardduty_finding_archived" { fedramp_moderate_rev_4 = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" diff --git a/conformance_pack/iam.sp b/conformance_pack/iam.sp index 2e366030..e956a2d2 100644 --- a/conformance_pack/iam.sp +++ b/conformance_pack/iam.sp @@ -42,6 +42,7 @@ control "iam_policy_no_star_star" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" @@ -59,6 +60,7 @@ control "iam_root_user_no_access_keys" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) @@ -75,6 +77,7 @@ control "iam_root_user_hardware_mfa_enabled" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" }) } @@ -91,6 +94,7 @@ control "iam_root_user_mfa_enabled" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" }) } @@ -106,6 +110,7 @@ control "iam_user_access_key_age_90" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" }) } @@ -122,6 +127,7 @@ control "iam_user_console_access_mfa_enabled" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" }) } @@ -137,6 +143,7 @@ control "iam_user_mfa_enabled" { fedramp_moderate_rev_4 = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" }) } @@ -152,6 +159,7 @@ control "iam_user_no_inline_attached_policies" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" @@ -169,6 +177,7 @@ control "iam_user_unused_credentials_90" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" soc_2 = "true" }) @@ -184,6 +193,7 @@ control "iam_user_in_group" { fedramp_moderate_rev_4 = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" soc_2 = "true" }) @@ -199,6 +209,7 @@ control "iam_group_user_role_no_inline_policies" { fedramp_moderate_rev_4 = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" rbi_cyber_security = "true" soc_2 = "true" }) @@ -224,6 +235,7 @@ control "iam_account_password_policy_min_length_14" { fedramp_moderate_rev_4 = "true" gdpr = "true" hipaa = "true" + nist_800_53_rev_5 = "true" }) } @@ -311,6 +323,7 @@ control "iam_all_policy_no_service_wild_card" { tags = merge(local.conformance_pack_iam_common_tags, { fedramp_low_rev_4 = "true" fedramp_moderate_rev_4 = "true" + nist_800_53_rev_5 = "true" rbi_cyber_security = "true" }) } @@ -324,4 +337,14 @@ control "iam_policy_custom_no_blocked_kms_actions" { fedramp_low_rev_4 = "true" fedramp_moderate_rev_4 = "true" }) -} \ No newline at end of file +} + +control "account_part_of_organizations" { + title = "AWS account should be part of AWS Organizations" + description = "Ensure if an AWS account is part of AWS Organizations. The rule is non compliant if an AWS account is not part of AWS Organizations or AWS Organizations master account ID does not match rule parameter MasterAccountId." + sql = query.account_part_of_organizations.sql + + tags = merge(local.conformance_pack_iam_common_tags, { + nist_800_53_rev_5 = "true" + }) +} diff --git a/conformance_pack/kms.sp b/conformance_pack/kms.sp index 7a8b3cf6..3b7edb38 100644 --- a/conformance_pack/kms.sp +++ b/conformance_pack/kms.sp @@ -14,6 +14,7 @@ control "kms_key_not_pending_deletion" { fedramp_moderate_rev_4 = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) @@ -30,6 +31,7 @@ control "kms_cmk_rotation_enabled" { hippa = "true" gdpr = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" rbi_cyber_security = "true" }) } diff --git a/conformance_pack/lambda.sp b/conformance_pack/lambda.sp index 36345762..6d7e17fa 100644 --- a/conformance_pack/lambda.sp +++ b/conformance_pack/lambda.sp @@ -13,6 +13,7 @@ control "lambda_function_dead_letter_queue_configured" { fedramp_low_rev_4 = "true" fedramp_moderate_rev_4 = "true" hipaa = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" soc_2 = "true" }) @@ -28,6 +29,7 @@ control "lambda_function_in_vpc" { fedramp_moderate_rev_4 = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) @@ -43,6 +45,7 @@ control "lambda_function_restrict_public_access" { fedramp_moderate_rev_4 = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) @@ -56,6 +59,7 @@ control "lambda_function_concurrent_execution_limit_configured" { tags = merge(local.conformance_pack_lambda_common_tags, { fedramp_low_rev_4 = "true" fedramp_moderate_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" soc_2 = "true" }) diff --git a/conformance_pack/rds.sp b/conformance_pack/rds.sp index f1c47aa1..3858cf64 100644 --- a/conformance_pack/rds.sp +++ b/conformance_pack/rds.sp @@ -14,6 +14,7 @@ control "rds_db_instance_backup_enabled" { fedramp_moderate_rev_4 = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" @@ -30,6 +31,7 @@ control "rds_db_instance_encryption_at_rest_enabled" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) @@ -45,6 +47,7 @@ control "rds_db_instance_multiple_az_enabled" { fedramp_moderate_rev_4 = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" }) } @@ -60,6 +63,7 @@ control "rds_db_instance_prohibit_public_access" { fedramp_moderate_rev_4 = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" @@ -77,6 +81,7 @@ control "rds_db_snapshot_encrypted_at_rest" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" rbi_cyber_security = "true" }) } @@ -92,6 +97,7 @@ control "rds_db_snapshot_prohibit_public_access" { fedramp_moderate_rev_4 = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) @@ -107,6 +113,7 @@ control "rds_db_instance_logging_enabled" { fedramp_moderate_rev_4 = "true" gdpr = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" rbi_cyber_security = "true" soc_2 = "true" }) @@ -121,6 +128,7 @@ control "rds_db_instance_in_backup_plan" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" @@ -135,6 +143,7 @@ control "rds_db_instance_and_cluster_enhanced_monitoring_enabled" { tags = merge(local.conformance_pack_rds_common_tags, { fedramp_low_rev_4 = "true" fedramp_moderate_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" }) } @@ -148,6 +157,7 @@ control "rds_db_instance_deletion_protection_enabled" { fedramp_low_rev_4 = "true" fedramp_moderate_rev_4 = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" soc_2 = "true" }) } @@ -185,6 +195,7 @@ control "rds_db_instance_protected_by_backup_plan" { fedramp_low_rev_4 = "true" fedramp_moderate_rev_4 = "true" hipaa = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" soc_2 = "true" }) diff --git a/conformance_pack/redshift.sp b/conformance_pack/redshift.sp index 324f9549..23b514f8 100644 --- a/conformance_pack/redshift.sp +++ b/conformance_pack/redshift.sp @@ -15,6 +15,7 @@ control "redshift_cluster_encryption_in_transit_enabled" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) @@ -31,6 +32,7 @@ control "redshift_cluster_encryption_logging_enabled" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" @@ -47,6 +49,7 @@ control "redshift_cluster_prohibit_public_access" { fedramp_moderate_rev_4 = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) @@ -62,6 +65,7 @@ control "redshift_cluster_automatic_snapshots_min_7_days" { fedramp_moderate_rev_4 = "true" gdpr = "true" hipaa = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" sco_2 = "true" @@ -76,6 +80,7 @@ control "redshift_cluster_kms_enabled" { tags = merge(local.conformance_pack_redshift_common_tags, { fedramp_low_rev_4 = "true" fedramp_moderate_rev_4 = "true" + nist_800_53_rev_5 = "true" rbi_cyber_security = "true" }) } @@ -86,6 +91,17 @@ control "redshift_cluster_maintenance_settings_check" { sql = query.redshift_cluster_maintenance_settings_check.sql tags = merge(local.conformance_pack_redshift_common_tags, { + nist_800_53_rev_5 = "true" rbi_cyber_security = "true" }) +} + +control "redshift_cluster_enhanced_vpc_routing_enabled" { + title = "Amazon Redshift enhanced VPC routing should be enabled" + description = "Ensure if Amazon Redshift cluster has 'enhancedVpcRouting' enabled. The rule is non compliant if 'enhancedVpcRouting' is not enabled or if the configuration.enhancedVpcRouting field is 'false'." + sql = query.redshift_cluster_enhanced_vpc_routing_enabled.sql + + tags = merge(local.conformance_pack_redshift_common_tags, { + nist_800_53_rev_5 = "true" + }) } \ No newline at end of file diff --git a/conformance_pack/s3.sp b/conformance_pack/s3.sp index b659346b..324cb0ee 100644 --- a/conformance_pack/s3.sp +++ b/conformance_pack/s3.sp @@ -14,6 +14,7 @@ control "s3_bucket_cross_region_replication_enabled" { fedramp_moderate_rev_4 = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" @@ -31,6 +32,7 @@ control "s3_bucket_default_encryption_enabled" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) @@ -47,6 +49,7 @@ control "s3_bucket_enforces_ssl" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) @@ -62,6 +65,7 @@ control "s3_bucket_logging_enabled" { fedramp_moderate_rev_4 = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" @@ -92,6 +96,7 @@ control "s3_bucket_restrict_public_read_access" { fedramp_moderate_rev_4 = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" @@ -109,6 +114,7 @@ control "s3_bucket_restrict_public_write_access" { fedramp_moderate_rev_4 = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) @@ -125,6 +131,8 @@ control "s3_bucket_versioning_enabled" { fedramp_moderate_rev_4 = "true" hipaa = "true" nist_csf = "true" + nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" rbi_cyber_security = "true" soc_2 = "true" }) @@ -140,6 +148,7 @@ control "s3_public_access_block_account" { fedramp_moderate_rev_4 = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" }) } @@ -169,6 +178,7 @@ control "s3_bucket_default_encryption_enabled_kms" { fedramp_moderate_rev_4 = "true" gdpr = "true" hipaa = "true" + nist_800_53_rev_5 = "true" rbi_cyber_security = "true" }) } @@ -181,5 +191,6 @@ control "s3_public_access_block_bucket" { tags = merge(local.conformance_pack_s3_common_tags, { fedramp_low_rev_4 = "true" fedramp_moderate_rev_4 = "true" + nist_800_53_rev_5 = "true" }) } diff --git a/conformance_pack/sagemaker.sp b/conformance_pack/sagemaker.sp index 6ee22b8a..308b5fe9 100644 --- a/conformance_pack/sagemaker.sp +++ b/conformance_pack/sagemaker.sp @@ -14,6 +14,7 @@ control "sagemaker_notebook_instance_direct_internet_access_disabled" { fedramp_moderate_rev_4 = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) @@ -30,6 +31,7 @@ control "sagemaker_notebook_instance_encryption_at_rest_enabled" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) @@ -46,6 +48,7 @@ control "sagemaker_endpoint_configuration_encryption_at_rest_enabled" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) diff --git a/conformance_pack/secretsmanager.sp b/conformance_pack/secretsmanager.sp index 4840206a..32dab652 100644 --- a/conformance_pack/secretsmanager.sp +++ b/conformance_pack/secretsmanager.sp @@ -10,8 +10,9 @@ control "secretsmanager_secret_automatic_rotation_enabled" { sql = query.secretsmanager_secret_automatic_rotation_enabled.sql tags = merge(local.conformance_pack_secretsmanager_common_tags, { - hipaa = "true" - nist_csf = "true" + hipaa = "true" + nist_800_53_rev_5 = "true" + nist_csf = "true" }) } @@ -22,6 +23,27 @@ control "secretsmanager_secret_rotated_as_scheduled" { tags = merge(local.conformance_pack_secretsmanager_common_tags, { nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" }) } + +control "secretsmanager_secret_unused_90_day" { + title = "Secrets Manager secrets should be rotated as per the rotation schedule" + description = "Ensure if AWS Secrets Manager secrets have been accessed within a specified number of days. The rule is non compiant if a secret has not been accessed in ‘unusedForDays’ number of days. The default value is 90 days." + sql = query.secretsmanager_secret_unused_90_day.sql + + tags = merge(local.conformance_pack_secretsmanager_common_tags, { + nist_800_53_rev_5 = "true" + }) +} + +control "secretsmanager_secret_encrypted_with_kms_cmk" { + title = "Secrets Manager secrets should be encrypted using CMK" + description = "Ensure if all secrets in AWS Secrets Manager are encrypted using the AWS managed key (aws/secretsmanager) or a customer managed key that was created in AWS Key Management Service (AWS KMS). The rule is compliant if a secret is encrypted using a customer managed key. This rule is NON_COMPLIANT if a secret is encrypted using aws/secretsmanager." + sql = query.secretsmanager_secret_encrypted_with_kms_cmk.sql + + tags = merge(local.conformance_pack_secretsmanager_common_tags, { + nist_800_53_rev_5 = "true" + }) +} diff --git a/conformance_pack/securityhub.sp b/conformance_pack/securityhub.sp index d8b82886..3e332054 100644 --- a/conformance_pack/securityhub.sp +++ b/conformance_pack/securityhub.sp @@ -14,6 +14,7 @@ control "securityhub_enabled" { fedramp_moderate_rev_4 = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" diff --git a/conformance_pack/sns.sp b/conformance_pack/sns.sp index fa09ab9f..2c028c12 100644 --- a/conformance_pack/sns.sp +++ b/conformance_pack/sns.sp @@ -15,6 +15,7 @@ control "sns_topic_encrypted_at_rest" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) diff --git a/conformance_pack/ssm.sp b/conformance_pack/ssm.sp index baa60290..2decb48d 100644 --- a/conformance_pack/ssm.sp +++ b/conformance_pack/ssm.sp @@ -14,6 +14,7 @@ control "ec2_instance_ssm_managed" { fedramp_moderate_rev_4 = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" @@ -30,6 +31,7 @@ control "ssm_managed_instance_compliance_association_compliant" { fedramp_moderate_rev_4 = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" @@ -46,6 +48,7 @@ control "ssm_managed_instance_compliance_patch_compliant" { fedramp_moderate_rev_4 = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" rbi_cyber_security = "true" soc_2 = "true" }) diff --git a/conformance_pack/vpc.sp b/conformance_pack/vpc.sp index 5d619bfb..bd1abcdd 100644 --- a/conformance_pack/vpc.sp +++ b/conformance_pack/vpc.sp @@ -15,6 +15,7 @@ control "vpc_flow_logs_enabled" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" @@ -44,6 +45,7 @@ control "vpc_security_group_restrict_ingress_tcp_udp_all" { fedramp_moderate_rev_4 = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) @@ -60,6 +62,7 @@ control "vpc_security_group_restrict_ingress_common_ports_all" { fedramp_moderate_rev_4 = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) @@ -76,6 +79,7 @@ control "vpc_security_group_restrict_ingress_ssh_all" { fedramp_moderate_rev_4 = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" @@ -91,6 +95,7 @@ control "vpc_default_security_group_restricts_all_traffic" { fedramp_low_rev_4 = "true" fedramp_moderate_rev_4 = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) @@ -105,6 +110,7 @@ control "vpc_vpn_tunnel_up" { fedramp_low_rev_4 = "true" fedramp_moderate_rev_4 = "true" hipaa = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" }) } @@ -130,13 +136,14 @@ control "vpc_security_group_associated_to_eni" { } control "vpc_subnet_auto_assign_public_ip_disabled" { - title = "VPC subnet auto assign public ip should be disabled" + title = "VPC subnet auto assign public IP should be disabled" description = "Ensure if Amazon Virtual Private Cloud (Amazon VPC) subnets are assigned a public IP address. The control is complaint if Amazon VPC does not have subnets that are assigned a public IP address. The control. is non complaint if Amazon VPC has subnets that are assigned a public IP address." sql = query.vpc_subnet_auto_assign_public_ip_disabled.sql tags = merge(local.conformance_pack_vpc_common_tags, { fedramp_low_rev_4 = "true" fedramp_moderate_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) @@ -144,12 +151,13 @@ control "vpc_subnet_auto_assign_public_ip_disabled" { control "vpc_route_table_restrict_public_access_to_igw" { title = "VPC route table should restrict public access to IGW" - description = "Ensure if there are public routes in the route table to an Internet Gateway (IGW). The rule is complaint if a route to an IGW has a destination CIDR block of '0.0.0.0/0' or '::/0' or if a destination CIDR block does not match the rule parameter." + description = "Ensure if there are public routes in the route table to an Internet Gateway (IGW). The rule is complaint if a route to an IGW has a destination CIDR block of '0.0.0.0/0' or '::/0'." sql = query.vpc_route_table_restrict_public_access_to_igw.sql tags = merge(local.conformance_pack_vpc_common_tags, { fedramp_low_rev_4 = "true" fedramp_moderate_rev_4 = "true" + nist_800_53_rev_5 = "true" rbi_cyber_security = "true" }) } diff --git a/conformance_pack/wafv2.sp b/conformance_pack/wafv2.sp index c4e15c49..d2c9b22b 100644 --- a/conformance_pack/wafv2.sp +++ b/conformance_pack/wafv2.sp @@ -15,6 +15,7 @@ control "wafv2_web_acl_logging_enabled" { hipaa = "true" gdpr = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" diff --git a/nist_800_53_rev_5/ac.sp b/nist_800_53_rev_5/ac.sp new file mode 100644 index 00000000..199dc831 --- /dev/null +++ b/nist_800_53_rev_5/ac.sp @@ -0,0 +1,1423 @@ +benchmark "nist_800_53_rev_5_ac" { + title = "Access Control (AC)" + description = "The access control family consists of security requirements detailing system logging. This includes who has access to what assets and reporting capabilities like account management, system privileges, and remote access logging to determine when users have access to the system and their level of access." + children = [ + benchmark.nist_800_53_rev_5_ac_2, + benchmark.nist_800_53_rev_5_ac_3, + benchmark.nist_800_53_rev_5_ac_4, + benchmark.nist_800_53_rev_5_ac_5, + benchmark.nist_800_53_rev_5_ac_6, + benchmark.nist_800_53_rev_5_ac_7, + benchmark.nist_800_53_rev_5_ac_16, + benchmark.nist_800_53_rev_5_ac_17, + benchmark.nist_800_53_rev_5_ac_24 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_2" { + title = "Account Management (AC-2)" + description = "Manage system accounts, group memberships, privileges, workflow, notifications, deactivations, and authorizations." + children = [ + benchmark.nist_800_53_rev_5_ac_2_1, + benchmark.nist_800_53_rev_5_ac_2_3, + benchmark.nist_800_53_rev_5_ac_2_4, + benchmark.nist_800_53_rev_5_ac_2_6, + benchmark.nist_800_53_rev_5_ac_2_12, + benchmark.nist_800_53_rev_5_ac_2_d_1, + benchmark.nist_800_53_rev_5_ac_2_g, + benchmark.nist_800_53_rev_5_ac_2_i_2, + benchmark.nist_800_53_rev_5_ac_2_j + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_2_1" { + title = "AC-2(1) Automated System Account Management" + description = "Support the management of system accounts using [Assignment: organization-defined automated mechanisms]." + children = [ + control.iam_account_password_policy_min_length_14, + control.iam_group_user_role_no_inline_policies, + control.iam_policy_no_star_star, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.iam_root_user_no_access_keys, + control.iam_user_access_key_age_90, + control.iam_user_console_access_mfa_enabled, + control.iam_user_in_group, + control.iam_user_mfa_enabled, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.secretsmanager_secret_automatic_rotation_enabled, + control.secretsmanager_secret_rotated_as_scheduled, + control.secretsmanager_secret_unused_90_day + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_2_3" { + title = "AC-2(3) Disable Accounts" + description = "Disable accounts within [Assignment: organization-defined time period] when the accounts: (a) Have expired; (b) Are no longer associated with a user or individual; (c) Are in violation of organizational policy; or (d) Have been inactive for [Assignment: organization-defined time period]." + children = [ + control.iam_account_password_policy_min_length_14, + control.iam_user_unused_credentials_90, + benchmark.nist_800_53_rev_5_ac_2_3_a, + benchmark.nist_800_53_rev_5_ac_2_3_b, + benchmark.nist_800_53_rev_5_ac_2_3_c, + benchmark.nist_800_53_rev_5_ac_2_3_d + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_2_3_a" { + title = "AC-2(3)(a)" + description = "Disable accounts within [Assignment: organization-defined time period] when the accounts: (a) Have expired." + children = [ + control.iam_account_password_policy_min_length_14, + control.iam_user_unused_credentials_90 + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) +} + +benchmark "nist_800_53_rev_5_ac_2_3_b" { + title = "AC-2(3)(b)" + description = "Disable accounts within [Assignment: organization-defined time period] when the accounts: (b) Are no longer associated with a user or individual." + children = [ + control.iam_account_password_policy_min_length_14, + control.iam_user_unused_credentials_90 + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) +} + +benchmark "nist_800_53_rev_5_ac_2_3_c" { + title = "AC-2(3)(c)" + description = "Disable accounts within [Assignment: organization-defined time period] when the accounts: (c) Are in violation of organizational policy." + children = [ + control.iam_account_password_policy_min_length_14, + control.iam_user_unused_credentials_90 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_2_3_d" { + title = "AC-2(3)(d)" + description = "Disable accounts within [Assignment: organization-defined time period] when the accounts: (d) Have been inactive for [Assignment: organization-defined time period]." + children = [ + control.iam_account_password_policy_min_length_14, + control.iam_user_unused_credentials_90 + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) +} + +benchmark "nist_800_53_rev_5_ac_2_4" { + title = "AC-2(4) Automated Audit Actions" + description = "Automatically audit account creation, modification, enabling, disabling, and removal actions." + children = [ + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_2_6" { + title = "AC-2(6) Dynamic Privilege Management" + description = "Implement [Assignment: organization-defined dynamic privilege management capabilities]." + children = [ + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_in_vpc, + control.ec2_instance_not_publicly_accessible, + control.ec2_instance_uses_imdsv2, + control.emr_cluster_master_nodes_no_public_ip, + control.es_domain_in_vpc, + control.iam_group_user_role_no_inline_policies, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys, + control.iam_user_in_group, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.lambda_function_in_vpc, + control.lambda_function_restrict_public_access, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_subnet_auto_assign_public_ip_disabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_2_12" { + title = "AC-2(12) Account Monitoring" + description = "Monitors and reports atypical usage of information system accounts to organization-defined personnel or roles." + children = [ + benchmark.nist_800_53_rev_5_ac_2_12_a + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_2_12_a" { + title = "AC-2(12)(a)" + description = "Monitor system accounts for [Assignment: organization-defined atypical usage]." + children = [ + control.guardduty_enabled + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) +} + +benchmark "nist_800_53_rev_5_ac_2_d_1" { + title = "AC-2(d)(1)" + description = "d. Specify: 1. Authorized users of the system;personnel termination and transfer processes." + children = [ + control.iam_account_password_policy_min_length_14 + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) +} + +benchmark "nist_800_53_rev_5_ac_2_g" { + title = "AC-2(g)" + description = "The organization: g. Monitors the use of information system accounts." + children = [ + control.iam_user_unused_credentials_90 + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) +} + +benchmark "nist_800_53_rev_5_ac_2_i_2" { + title = "AC-2(i)(2)" + description = "i. Authorize access to the system based on: 2. Intended system usage." + children = [ + control.iam_group_user_role_no_inline_policies, + control.iam_policy_no_star_star, + control.iam_user_in_group, + control.iam_user_no_inline_attached_policies + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) +} + +benchmark "nist_800_53_rev_5_ac_2_j" { + title = "AC-2(j)" + description = "The organization: j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]." + children = [ + control.iam_user_unused_credentials_90 + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) +} + +benchmark "nist_800_53_rev_5_ac_3" { + title = "Access Enforcement (AC-3)" + description = "Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies." + children = [ + benchmark.nist_800_53_rev_5_ac_3_1, + benchmark.nist_800_53_rev_5_ac_3_2, + benchmark.nist_800_53_rev_5_ac_3_3, + benchmark.nist_800_53_rev_5_ac_3_4, + benchmark.nist_800_53_rev_5_ac_3_7, + benchmark.nist_800_53_rev_5_ac_3_8, + benchmark.nist_800_53_rev_5_ac_3_10, + benchmark.nist_800_53_rev_5_ac_3_12, + benchmark.nist_800_53_rev_5_ac_3_13, + benchmark.nist_800_53_rev_5_ac_3_15, + control.autoscaling_launch_config_public_ip_disabled, + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_iam_profile_attached, + control.ec2_instance_not_publicly_accessible, + control.ec2_instance_uses_imdsv2, + control.ecs_task_definition_user_for_host_mode_check, + control.emr_cluster_master_nodes_no_public_ip, + control.es_domain_in_vpc, + control.iam_all_policy_no_service_wild_card, + control.iam_group_user_role_no_inline_policies, + control.iam_policy_no_star_star, + control.iam_user_in_group, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.lambda_function_in_vpc, + control.lambda_function_restrict_public_access, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_subnet_auto_assign_public_ip_disabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_3_1" { + title = "AC-3(1) Restricted Access To Privileged Functions" + description = "Employ an audited override of automated access control mechanisms under [Assignment: organization-defined conditions] by [Assignment: organization-defined roles]." + children = [ + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudtrail_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_3_2" { + title = "AC-3(2) Dual Authorization" + description = "Enforce dual authorization for [Assignment: organization-defined privileged commands and/or other organization-defined actions]." + children = [ + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.iam_user_console_access_mfa_enabled, + control.iam_user_mfa_enabled + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) +} + +benchmark "nist_800_53_rev_5_ac_3_3" { + title = "AC-3(3) Mandatory Access Control" + description = "Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy, and where the policy: (a) Is uniformly enforced across the covered subjects and objects within the system; (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (1) Passing the information to unauthorized subjects or objects; (2) Granting its privileges to other subjects; (3) Changing one or more security attributes (specified by the policy) on subjects, objects, the system, or system components; (4) Choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects; and (5) Changing the rules governing access control; and (c) Specifies that [Assignment: organization-defined subjects] may explicitly be granted [Assignment: organization-defined privileges] such that they are not limited by any defined subset (or all) of the above constraints." + children = [ + benchmark.nist_800_53_rev_5_ac_3_3_a, + benchmark.nist_800_53_rev_5_ac_3_3_b_1, + benchmark.nist_800_53_rev_5_ac_3_3_b_2, + benchmark.nist_800_53_rev_5_ac_3_3_b_3, + benchmark.nist_800_53_rev_5_ac_3_3_b_4, + benchmark.nist_800_53_rev_5_ac_3_3_b_5, + benchmark.nist_800_53_rev_5_ac_3_3_c, + control.ec2_instance_uses_imdsv2, + control.iam_account_password_policy_min_length_14, + control.iam_group_user_role_no_inline_policies, + control.iam_policy_no_star_star, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.iam_root_user_no_access_keys, + control.iam_user_access_key_age_90, + control.iam_user_console_access_mfa_enabled, + control.iam_user_in_group, + control.iam_user_mfa_enabled, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.secretsmanager_secret_automatic_rotation_enabled, + control.secretsmanager_secret_rotated_as_scheduled, + control.secretsmanager_secret_unused_90_day + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_3_3_a" { + title = "AC-3(3)(a)" + description = "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (a) Is uniformly enforced across the covered subjects and objects within the system." + children = [ + control.ec2_instance_uses_imdsv2, + control.iam_account_password_policy_min_length_14, + control.iam_group_user_role_no_inline_policies, + control.iam_policy_no_star_star, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.iam_root_user_no_access_keys, + control.iam_user_access_key_age_90, + control.iam_user_console_access_mfa_enabled, + control.iam_user_in_group, + control.iam_user_mfa_enabled, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.secretsmanager_secret_automatic_rotation_enabled, + control.secretsmanager_secret_rotated_as_scheduled, + control.secretsmanager_secret_unused_90_day + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_3_3_b_1" { + title = "AC-3(3)(b)(1)" + description = "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (1) Passing the information to unauthorized subjects or objects." + children = [ + control.ec2_instance_uses_imdsv2, + control.iam_account_password_policy_min_length_14, + control.iam_group_user_role_no_inline_policies, + control.iam_policy_no_star_star, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.iam_root_user_no_access_keys, + control.iam_user_access_key_age_90, + control.iam_user_console_access_mfa_enabled, + control.iam_user_in_group, + control.iam_user_mfa_enabled, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.secretsmanager_secret_automatic_rotation_enabled, + control.secretsmanager_secret_rotated_as_scheduled, + control.secretsmanager_secret_unused_90_day + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_3_3_b_2" { + title = "AC-3(3)(b)(2)" + description = "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (2) Granting its privileges to other subjects." + children = [ + control.ec2_instance_uses_imdsv2, + control.iam_account_password_policy_min_length_14, + control.iam_group_user_role_no_inline_policies, + control.iam_policy_no_star_star, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.iam_root_user_no_access_keys, + control.iam_user_access_key_age_90, + control.iam_user_console_access_mfa_enabled, + control.iam_user_in_group, + control.iam_user_mfa_enabled, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.secretsmanager_secret_automatic_rotation_enabled, + control.secretsmanager_secret_rotated_as_scheduled, + control.secretsmanager_secret_unused_90_day + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_3_3_b_3" { + title = "AC-3(3)(b)(3)" + description = "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (3) Changing one or more security attributes (specified by the policy) on subjects, objects, the system, or system components." + children = [ + control.ec2_instance_uses_imdsv2, + control.iam_account_password_policy_min_length_14, + control.iam_group_user_role_no_inline_policies, + control.iam_policy_no_star_star, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.iam_root_user_no_access_keys, + control.iam_user_access_key_age_90, + control.iam_user_console_access_mfa_enabled, + control.iam_user_in_group, + control.iam_user_mfa_enabled, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.secretsmanager_secret_automatic_rotation_enabled, + control.secretsmanager_secret_rotated_as_scheduled, + control.secretsmanager_secret_unused_90_day, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_3_3_b_4" { + title = "AC-3(3)(b)(4)" + description = "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (4) Choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects." + children = [ + control.ec2_instance_uses_imdsv2, + control.iam_account_password_policy_min_length_14, + control.iam_group_user_role_no_inline_policies, + control.iam_policy_no_star_star, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.iam_root_user_no_access_keys, + control.iam_user_access_key_age_90, + control.iam_user_console_access_mfa_enabled, + control.iam_user_in_group, + control.iam_user_mfa_enabled, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.secretsmanager_secret_automatic_rotation_enabled, + control.secretsmanager_secret_rotated_as_scheduled, + control.secretsmanager_secret_unused_90_day + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_3_3_b_5" { + title = "AC-3(3)(b)(5)" + description = "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (5) Changing the rules governing access." + children = [ + control.ec2_instance_uses_imdsv2, + control.iam_account_password_policy_min_length_14, + control.iam_group_user_role_no_inline_policies, + control.iam_policy_no_star_star, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.iam_root_user_no_access_keys, + control.iam_user_access_key_age_90, + control.iam_user_console_access_mfa_enabled, + control.iam_user_in_group, + control.iam_user_mfa_enabled, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.secretsmanager_secret_automatic_rotation_enabled, + control.secretsmanager_secret_rotated_as_scheduled, + control.secretsmanager_secret_unused_90_day + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_3_3_c" { + title = "AC-3(3)(c)" + description = "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (c) Specifies that [Assignment: organization-defined subjects] may explicitly be granted [Assignment: organization-defined privileges] such that they are not limited by any defined subset (or all) of the above constraints." + children = [ + control.ec2_instance_uses_imdsv2, + control.iam_account_password_policy_min_length_14, + control.iam_group_user_role_no_inline_policies, + control.iam_policy_no_star_star, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.iam_root_user_no_access_keys, + control.iam_user_access_key_age_90, + control.iam_user_console_access_mfa_enabled, + control.iam_user_in_group, + control.iam_user_mfa_enabled, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.secretsmanager_secret_automatic_rotation_enabled, + control.secretsmanager_secret_rotated_as_scheduled, + control.secretsmanager_secret_unused_90_day + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_3_4" { + title = "AC-3(4) Discretionary Access Control" + description = "Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (a) Pass the information to any other subjects or objects; (b) Grant its privileges to other subjects; (c) Change security attributes on subjects, objects, the system, or the system’s components; (d) Choose the security attributes to be associated with newly created or revised objects; or (e) Change the rules governing access control." + children = [ + benchmark.nist_800_53_rev_5_ac_3_4_a, + benchmark.nist_800_53_rev_5_ac_3_4_b, + benchmark.nist_800_53_rev_5_ac_3_4_c, + benchmark.nist_800_53_rev_5_ac_3_4_d, + benchmark.nist_800_53_rev_5_ac_3_4_e, + control.ec2_instance_uses_imdsv2, + control.iam_account_password_policy_min_length_14, + control.iam_group_user_role_no_inline_policies, + control.iam_policy_no_star_star, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.iam_root_user_no_access_keys, + control.iam_user_access_key_age_90, + control.iam_user_console_access_mfa_enabled, + control.iam_user_in_group, + control.iam_user_mfa_enabled, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.secretsmanager_secret_automatic_rotation_enabled, + control.secretsmanager_secret_rotated_as_scheduled, + control.secretsmanager_secret_unused_90_day + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_3_4_a" { + title = "AC-3(4)(a)" + description = "Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (a) Pass the information to any other subjects or objects." + children = [ + control.ec2_instance_uses_imdsv2, + control.iam_account_password_policy_min_length_14, + control.iam_group_user_role_no_inline_policies, + control.iam_policy_no_star_star, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.iam_root_user_no_access_keys, + control.iam_user_access_key_age_90, + control.iam_user_console_access_mfa_enabled, + control.iam_user_in_group, + control.iam_user_mfa_enabled, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.secretsmanager_secret_automatic_rotation_enabled, + control.secretsmanager_secret_rotated_as_scheduled, + control.secretsmanager_secret_unused_90_day + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_3_4_b" { + title = "AC-3(4)(b)" + description = "Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (b) Grant its privileges to other subjects." + children = [ + control.secretsmanager_secret_unused_90_day, + control.secretsmanager_secret_rotated_as_scheduled, + control.secretsmanager_secret_automatic_rotation_enabled, + control.iam_user_unused_credentials_90, + control.iam_user_no_inline_attached_policies, + control.iam_user_mfa_enabled, + control.iam_user_in_group, + control.iam_user_console_access_mfa_enabled, + control.iam_user_access_key_age_90, + control.iam_root_user_no_access_keys, + control.iam_root_user_mfa_enabled, + control.iam_root_user_hardware_mfa_enabled, + control.iam_policy_no_star_star, + control.iam_group_user_role_no_inline_policies, + control.iam_account_password_policy_min_length_14, + control.ec2_instance_uses_imdsv2 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_3_4_c" { + title = "AC-3(4)(c)" + description = "Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (c) Change security attributes on subjects, objects, the system, or the system’s components." + children = [ + control.ec2_instance_uses_imdsv2, + control.iam_account_password_policy_min_length_14, + control.iam_group_user_role_no_inline_policies, + control.iam_policy_no_star_star, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.iam_root_user_no_access_keys, + control.iam_user_access_key_age_90, + control.iam_user_console_access_mfa_enabled, + control.iam_user_in_group, + control.iam_user_mfa_enabled, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.secretsmanager_secret_automatic_rotation_enabled, + control.secretsmanager_secret_rotated_as_scheduled, + control.secretsmanager_secret_unused_90_day + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_3_4_d" { + title = "AC-3(4)(d)" + description = "Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (d) Choose the security attributes to be associated with newly created or revised objects." + children = [ + control.ec2_instance_uses_imdsv2, + control.iam_account_password_policy_min_length_14, + control.iam_group_user_role_no_inline_policies, + control.iam_policy_no_star_star, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.iam_root_user_no_access_keys, + control.iam_user_access_key_age_90, + control.iam_user_console_access_mfa_enabled, + control.iam_user_in_group, + control.iam_user_mfa_enabled, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.secretsmanager_secret_automatic_rotation_enabled, + control.secretsmanager_secret_rotated_as_scheduled, + control.secretsmanager_secret_unused_90_day + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_3_4_e" { + title = "AC-3(4)(e)" + description = "Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (e) Change the rules governing access." + children = [ + control.ec2_instance_uses_imdsv2, + control.iam_account_password_policy_min_length_14, + control.iam_group_user_role_no_inline_policies, + control.iam_policy_no_star_star, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.iam_root_user_no_access_keys, + control.iam_user_access_key_age_90, + control.iam_user_console_access_mfa_enabled, + control.iam_user_in_group, + control.iam_user_mfa_enabled, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.secretsmanager_secret_automatic_rotation_enabled, + control.secretsmanager_secret_rotated_as_scheduled, + control.secretsmanager_secret_unused_90_day + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_3_7" { + title = "AC-3(7) Role-Based Access Control" + description = "Enforce a role-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined roles and users authorized to assume such roles]." + children = [ + control.s3_bucket_restrict_public_read_access, + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_in_vpc, + control.ec2_instance_not_publicly_accessible, + control.ec2_instance_uses_imdsv2, + control.emr_cluster_master_nodes_no_public_ip, + control.es_domain_in_vpc, + control.iam_group_user_role_no_inline_policies, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys, + control.iam_user_in_group, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.lambda_function_in_vpc, + control.lambda_function_restrict_public_access, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_subnet_auto_assign_public_ip_disabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_3_8" { + title = "AC-3(8) Revocation Of Access Authorizations" + description = "Enforce the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on [Assignment: organization-defined rules governing the timing of revocations of access authorizations]." + children = [ + control.ec2_instance_uses_imdsv2, + control.iam_account_password_policy_min_length_14, + control.iam_group_user_role_no_inline_policies, + control.iam_policy_no_star_star, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.iam_root_user_no_access_keys, + control.iam_user_access_key_age_90, + control.iam_user_console_access_mfa_enabled, + control.iam_user_in_group, + control.iam_user_mfa_enabled, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.secretsmanager_secret_automatic_rotation_enabled, + control.secretsmanager_secret_rotated_as_scheduled, + control.secretsmanager_secret_unused_90_day + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_3_10" { + title = "AC-3(10) Audited Override Of Access Control Mechanisms" + description = "Employ an audited override of automated access mechanisms under [Assignment: organization-defined conditions] by [Assignment: organization-defined roles]." + children = [ + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_3_12" { + title = "AC-3(12) Assert And Enforce Application Access" + description = "a. Require applications to assert, as part of the installation process, the access needed to the following system applications and functions: [Assignment: organization-defined system applications and functions];b. Provide an enforcement mechanism to prevent unauthorized access; and c. Approve access changes after initial installation of the application." + children = [ + benchmark.nist_800_53_rev_5_ac_3_12_a, + benchmark.nist_800_53_rev_5_ac_3_12_b + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_3_12_a" { + title = "AC-3(12)(a)" + description = "Require applications to assert, as part of the installation process, the access needed to the following system applications and functions: [Assignment: organization-defined system applications and functions]." + children = [ + control.ec2_instance_uses_imdsv2, + control.iam_account_password_policy_min_length_14, + control.iam_group_user_role_no_inline_policies, + control.iam_policy_no_star_star, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.iam_root_user_no_access_keys, + control.iam_user_access_key_age_90, + control.iam_user_console_access_mfa_enabled, + control.iam_user_in_group, + control.iam_user_mfa_enabled, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.secretsmanager_secret_automatic_rotation_enabled, + control.secretsmanager_secret_rotated_as_scheduled, + control.secretsmanager_secret_unused_90_day + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_3_12_b" { + title = "AC-3(12)(b)" + description = "Provide an enforcement mechanism to prevent unauthorized access;" + children = [ + control.guardduty_enabled + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) +} + +benchmark "nist_800_53_rev_5_ac_3_13" { + title = "AC-3(13) Attribute-Based Access Control" + description = "Enforce attribute-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined attributes to assume access permissions]." + children = [ + control.ec2_instance_uses_imdsv2, + control.iam_account_password_policy_min_length_14, + control.iam_group_user_role_no_inline_policies, + control.iam_policy_no_star_star, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.iam_root_user_no_access_keys, + control.iam_user_access_key_age_90, + control.iam_user_console_access_mfa_enabled, + control.iam_user_in_group, + control.iam_user_mfa_enabled, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.secretsmanager_secret_automatic_rotation_enabled, + control.secretsmanager_secret_rotated_as_scheduled, + control.secretsmanager_secret_unused_90_day + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_3_15" { + title = "AC-3(15) Discretionary And Mandatory Access Control" + description = "a. Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy; and b. Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy." + children = [ + benchmark.nist_800_53_rev_5_ac_3_15_a, + benchmark.nist_800_53_rev_5_ac_3_15_b + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_3_15_a" { + title = "AC-3(15)(a)" + description = "Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy." + children = [ + control.ec2_instance_uses_imdsv2, + control.iam_account_password_policy_min_length_14, + control.iam_group_user_role_no_inline_policies, + control.iam_policy_no_star_star, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.iam_root_user_no_access_keys, + control.iam_user_access_key_age_90, + control.iam_user_console_access_mfa_enabled, + control.iam_user_in_group, + control.iam_user_mfa_enabled, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.secretsmanager_secret_automatic_rotation_enabled, + control.secretsmanager_secret_rotated_as_scheduled, + control.secretsmanager_secret_unused_90_day + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_3_15_b" { + title = "AC-3(15)(b)" + description = "Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy." + children = [ + control.ec2_instance_uses_imdsv2, + control.iam_account_password_policy_min_length_14, + control.iam_group_user_role_no_inline_policies, + control.iam_policy_no_star_star, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.iam_root_user_no_access_keys, + control.iam_user_access_key_age_90, + control.iam_user_console_access_mfa_enabled, + control.iam_user_in_group, + control.iam_user_mfa_enabled, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.secretsmanager_secret_automatic_rotation_enabled, + control.secretsmanager_secret_rotated_as_scheduled, + control.secretsmanager_secret_unused_90_day + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_4" { + title = "Information Flow Enforcement (AC-4)" + description = "Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies]." + children = [ + benchmark.nist_800_53_rev_5_ac_4_21, + benchmark.nist_800_53_rev_5_ac_4_22, + benchmark.nist_800_53_rev_5_ac_4_26, + benchmark.nist_800_53_rev_5_ac_4_28, + control.apigateway_rest_api_stage_use_ssl_certificate, + control.elb_application_lb_redirect_http_request_to_https, + control.elb_classic_lb_use_ssl_certificate, + control.elb_classic_lb_use_tls_https_listeners, + control.es_domain_node_to_node_encryption_enabled, + control.redshift_cluster_encryption_in_transit_enabled, + control.s3_bucket_enforces_ssl + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_4_21" { + title = "AC-4(21) Physical Or Logical Separation Of Infomation Flows" + description = "Separate information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information]." + children = [ + control.apigateway_stage_use_waf_web_acl, + control.autoscaling_launch_config_public_ip_disabled, + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_in_vpc, + control.ec2_instance_not_publicly_accessible, + control.elb_application_lb_waf_enabled, + control.emr_cluster_master_nodes_no_public_ip, + control.es_domain_in_vpc, + control.lambda_function_in_vpc, + control.lambda_function_restrict_public_access, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_enhanced_vpc_routing_enabled, + control.redshift_cluster_prohibit_public_access, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_default_security_group_restricts_all_traffic, + control.vpc_route_table_restrict_public_access_to_igw, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.vpc_security_group_restrict_ingress_tcp_udp_all, + control.vpc_subnet_auto_assign_public_ip_disabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_4_22" { + title = "AC-4(22) Access Only" + description = "Provide access from a single device to computing platforms, applications, or data residing in multiple different security domains, while preventing information flow between the different security domains." + children = [ + control.apigateway_rest_api_stage_use_ssl_certificate, + control.elb_application_lb_redirect_http_request_to_https, + control.elb_classic_lb_use_ssl_certificate, + control.elb_classic_lb_use_tls_https_listeners, + control.es_domain_node_to_node_encryption_enabled, + control.redshift_cluster_encryption_in_transit_enabled, + control.s3_bucket_enforces_ssl + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_4_26" { + title = "AC-4(26) Audit Filtering Actions" + description = "When transferring information between different security domains, record and audit content filtering actions and results for the information being filtered." + children = [ + control.apigateway_stage_logging_enabled, + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.elb_application_classic_lb_logging_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_4_28" { + title = "AC-4(28) Linear Filter Pipelines" + description = "When transferring information between different security domains, implement a linear content filter pipeline that is enforced with discretionary and mandatory access controls." + children = [ + control.ec2_instance_uses_imdsv2, + control.iam_account_password_policy_min_length_14, + control.iam_group_user_role_no_inline_policies, + control.iam_policy_no_star_star, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.iam_root_user_no_access_keys, + control.iam_user_access_key_age_90, + control.iam_user_console_access_mfa_enabled, + control.iam_user_in_group, + control.iam_user_mfa_enabled, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.secretsmanager_secret_automatic_rotation_enabled, + control.secretsmanager_secret_rotated_as_scheduled, + control.secretsmanager_secret_unused_90_day + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_5" { + title = "Separation Of Duties (AC-5)" + description = "Separate duties of individuals to prevent malevolent activity. automate separation of duties and access authorizations." + children = [ + benchmark.nist_800_53_rev_5_ac_5_b + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_5_b" { + title = "AC-5(b)" + description = "Define system access authorizations to support separation of duties." + children = [ + control.ecs_task_definition_user_for_host_mode_check, + control.iam_all_policy_no_service_wild_card, + control.iam_policy_no_star_star + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_6" { + title = "Least Privilege (AC-6)" + description = "Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks." + children = [ + benchmark.nist_800_53_rev_5_ac_6_2, + benchmark.nist_800_53_rev_5_ac_6_3, + benchmark.nist_800_53_rev_5_ac_6_9, + benchmark.nist_800_53_rev_5_ac_6_10, + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_in_vpc, + control.ec2_instance_not_publicly_accessible, + control.ec2_instance_uses_imdsv2, + control.emr_cluster_master_nodes_no_public_ip, + control.es_domain_in_vpc, + control.iam_group_user_role_no_inline_policies, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys, + control.iam_user_in_group, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.lambda_function_in_vpc, + control.lambda_function_restrict_public_access, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_subnet_auto_assign_public_ip_disabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_6_2" { + title = "AC-6(2)" + description = "Require that users of system accounts (or roles) with access to [Assignment: organization-defined security functions or security-relevant information] use non-privileged accounts or roles, when accessing nonsecurity functions." + children = [ + control.iam_all_policy_no_service_wild_card, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) +} + +benchmark "nist_800_53_rev_5_ac_6_3" { + title = "AC-6(3)" + description = "Authorize network access to [Assignment: organization-defined privileged commands] only for [Assignment: organization-defined compelling operational needs] and document the rationale for such access in the security plan for the system." + children = [ + control.iam_group_user_role_no_inline_policies, + control.iam_policy_no_star_star, + control.iam_user_in_group, + control.iam_user_no_inline_attached_policies + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) +} + +benchmark "nist_800_53_rev_5_ac_6_9" { + title = "AC-6(9)" + description = "Log the execution of privileged functions." + children = [ + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_6_10" { + title = "AC-6(10)" + description = "Prevent non-privileged users from executing privileged functions." + children = [ + control.iam_all_policy_no_service_wild_card, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) +} + +benchmark "nist_800_53_rev_5_ac_7" { + title = "Unsuccessful Logon Attempts (AC-7)" + description = "a. Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment:organization-defined time period]; and b. Automatically [Selection (one or more): lock the account or node for an [Assignment: organization-defined time period]; lock the account or node until released by an administrator; delay next logon prompt per [Assignment: organization-defined delay algorithm]; notify system administrator; take other[Assignment: organization-defined action]] when the maximum number of unsuccessful attempts is exceeded." + children = [ + benchmark.nist_800_53_rev_5_ac_7_4 + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) +} + +benchmark "nist_800_53_rev_5_ac_7_4" { + title = "AC-7(4) Use Of Alternate Authentication Factor" + description = "a. Allow the use of [Assignment: organization-defined authentication factors] that are different from the primary authentication factors after the number of organization-defined consecutive invalid logon attempts have been exceeded; and b. Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts through use of the alternative factors by a user during a [Assignment: organization-defined time period]." + children = [ + benchmark.nist_800_53_rev_5_ac_7_4_a, + control.iam_account_password_policy_min_length_14, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.iam_user_console_access_mfa_enabled, + control.iam_user_mfa_enabled + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) +} + +benchmark "nist_800_53_rev_5_ac_7_4_a" { + title = "AC-7(4)(a)" + description = "Allow the use of [Assignment: organization-defined authentication factors] that are different from the primary authentication factors after the number of organization-defined consecutive invalid logon attempts have been exceeded." + children = [ + control.iam_account_password_policy_min_length_14, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.iam_user_console_access_mfa_enabled, + control.iam_user_mfa_enabled + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) +} + +benchmark "nist_800_53_rev_5_ac_16" { + title = "Security And Privacy Attributes (AC-16)" + description = "a. Provide the means to associate [Assignment: organization-defined types of security and privacy attributes] with [Assignment: organization-defined security and privacy attribute values] for information in storage, in process, and/or in transmission; b. Ensure that the attribute associations are made and retained with the information; c. Establish the following permitted security and privacy attributes from the attributes defined in AC-16a for [Assignment: organization-defined systems]: [Assignment: organization-defined security and privacy attributes]." + children = [ + benchmark.nist_800_53_rev_5_ac_16_b + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_16_b" { + title = "AC-16(b)" + description = "Ensure that the attribute associations are made and retained with the information." + children = [ + control.cloudwatch_log_group_retention_period_365 + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/CloudWatch" + }) +} + +benchmark "nist_800_53_rev_5_ac_17" { + title = "Remote Access (AC-17)" + description = "Authorize remote access systems prior to connection. Enforce remote connection requirements to information systems." + children = [ + benchmark.nist_800_53_rev_5_ac_17_1, + benchmark.nist_800_53_rev_5_ac_17_2, + benchmark.nist_800_53_rev_5_ac_17_4, + benchmark.nist_800_53_rev_5_ac_17_9, + benchmark.nist_800_53_rev_5_ac_17_10, + benchmark.nist_800_53_rev_5_ac_17_b + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_17_b" { + title = "AC-17(b)" + description = "Authorize each type of remote access to the system prior to allowing such connections." + children = [ + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_in_vpc, + control.ec2_instance_not_publicly_accessible, + control.emr_cluster_master_nodes_no_public_ip, + control.es_domain_in_vpc, + control.lambda_function_in_vpc, + control.lambda_function_restrict_public_access, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_default_security_group_restricts_all_traffic, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.vpc_security_group_restrict_ingress_ssh_all, + control.vpc_security_group_restrict_ingress_tcp_udp_all, + control.vpc_subnet_auto_assign_public_ip_disabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_17_1" { + title = "AC-17(1) Monitoring And Control" + description = "Employ automated mechanisms to monitor and control remote access methods." + children = [ + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_in_vpc, + control.ec2_instance_not_publicly_accessible, + control.emr_cluster_master_nodes_no_public_ip, + control.es_domain_in_vpc, + control.lambda_function_in_vpc, + control.lambda_function_restrict_public_access, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_default_security_group_restricts_all_traffic, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.vpc_security_group_restrict_ingress_ssh_all, + control.vpc_security_group_restrict_ingress_tcp_udp_all, + control.vpc_subnet_auto_assign_public_ip_disabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_17_2" { + title = "AC-17(2) Protection Of Confidentiality And Integrity Using Encryption" + description = "Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions." + children = [ + control.apigateway_rest_api_stage_use_ssl_certificate, + control.elb_application_lb_redirect_http_request_to_https, + control.elb_classic_lb_use_ssl_certificate, + control.elb_classic_lb_use_tls_https_listeners, + control.s3_bucket_enforces_ssl + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_17_4" { + title = "AC-17(4) Privileged Commands And Access" + description = "a. Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: [Assignment: organization-defined needs]; and b. Document the rationale for remote access in the security plan for the system." + children = [ + benchmark.nist_800_53_rev_5_ac_17_4_a + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_17_4_a" { + title = "AC-17(4)(a)" + description = "Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: [Assignment: organization-defined needs];" + children = [ + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_in_vpc, + control.ec2_instance_not_publicly_accessible, + control.emr_cluster_master_nodes_no_public_ip, + control.es_domain_in_vpc, + control.lambda_function_in_vpc, + control.lambda_function_restrict_public_access, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_default_security_group_restricts_all_traffic, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.vpc_security_group_restrict_ingress_tcp_udp_all, + control.vpc_subnet_auto_assign_public_ip_disabled, + control.vpc_security_group_restrict_ingress_ssh_all + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_17_9" { + title = "AC-17(9) Disconnect Or Disable Access" + description = "Provide the capability to disconnect or disable remote access to the system within [Assignment: organization-defined time period]." + children = [ + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_in_vpc, + control.ec2_instance_not_publicly_accessible, + control.emr_cluster_master_nodes_no_public_ip, + control.es_domain_in_vpc, + control.lambda_function_in_vpc, + control.lambda_function_restrict_public_access, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_default_security_group_restricts_all_traffic, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.vpc_security_group_restrict_ingress_ssh_all, + control.vpc_security_group_restrict_ingress_tcp_udp_all, + control.vpc_subnet_auto_assign_public_ip_disabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_17_10" { + title = "AC-17(10) Authenticate Remote Commands" + description = "Provide the capability to disconnect or disable remote access to the system within [Assignment: organization-defined time period]." + children = [ + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_in_vpc, + control.ec2_instance_not_publicly_accessible, + control.emr_cluster_master_nodes_no_public_ip, + control.es_domain_in_vpc, + control.lambda_function_in_vpc, + control.lambda_function_restrict_public_access, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_default_security_group_restricts_all_traffic, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.vpc_security_group_restrict_ingress_ssh_all, + control.vpc_security_group_restrict_ingress_tcp_udp_all, + control.vpc_subnet_auto_assign_public_ip_disabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_24" { + title = "Access Control Decisions (AC-24)" + description = "[Selection: Establish procedures; Implement mechanisms] to ensure [Assignment: organization-defined access control decisions] are applied to each access request prior to access enforcement." + children = [ + benchmark.nist_800_53_rev_5_ac_24_1, + control.ec2_instance_uses_imdsv2, + control.iam_account_password_policy_min_length_14, + control.iam_group_user_role_no_inline_policies, + control.iam_policy_no_star_star, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.iam_root_user_no_access_keys, + control.iam_user_access_key_age_90, + control.iam_user_console_access_mfa_enabled, + control.iam_user_in_group, + control.iam_user_mfa_enabled, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.secretsmanager_secret_automatic_rotation_enabled, + control.secretsmanager_secret_rotated_as_scheduled, + control.secretsmanager_secret_unused_90_day + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_24_1" { + title = "AC-24(1)" + description = "Transmit [Assignment: organization-defined access authorization information] using [Assignment: organization-defined controls] to [Assignment: organization-defined systems] that enforce access control decisions." + children = [ + control.apigateway_rest_api_stage_use_ssl_certificate, + control.elb_application_lb_redirect_http_request_to_https, + control.elb_classic_lb_use_ssl_certificate, + control.elb_classic_lb_use_tls_https_listeners, + control.es_domain_node_to_node_encryption_enabled, + control.redshift_cluster_encryption_in_transit_enabled, + control.s3_bucket_enforces_ssl + ] + + tags = local.nist_800_53_rev_5_common_tags +} \ No newline at end of file diff --git a/nist_800_53_rev_5/au.sp b/nist_800_53_rev_5/au.sp new file mode 100644 index 00000000..b44507d3 --- /dev/null +++ b/nist_800_53_rev_5/au.sp @@ -0,0 +1,764 @@ +benchmark "nist_800_53_rev_5_au" { + title = "Audit and Accountability (AU)" + description = "The AU control family consists of security controls related to an organization’s audit capabilities. This includes audit policies and procedures, audit logging, audit report generation, and protection of audit information." + children = [ + benchmark.nist_800_53_rev_5_au_2, + benchmark.nist_800_53_rev_5_au_3, + benchmark.nist_800_53_rev_5_au_4, + benchmark.nist_800_53_rev_5_au_6, + benchmark.nist_800_53_rev_5_au_7, + benchmark.nist_800_53_rev_5_au_8, + benchmark.nist_800_53_rev_5_au_9, + benchmark.nist_800_53_rev_5_au_10, + benchmark.nist_800_53_rev_5_au_11, + benchmark.nist_800_53_rev_5_au_12, + benchmark.nist_800_53_rev_5_au_14, + benchmark.nist_800_53_rev_5_au_16 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + + +benchmark "nist_800_53_rev_5_au_2" { + title = "Event Logging (AU-2)" + description = "Automate security audit function with other organizational entities. Enable mutual support of audit of auditable events." + children = [ + benchmark.nist_800_53_rev_5_au_2_b + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_2_b" { + title = "AU-2(b)" + description = "Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged." + children = [ + control.apigateway_stage_logging_enabled, + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.elb_application_classic_lb_logging_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_3" { + title = "Content of Audit Records (AU-3)" + description = "The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event." + children = [ + benchmark.nist_800_53_rev_5_au_3_1, + benchmark.nist_800_53_rev_5_au_3_a, + benchmark.nist_800_53_rev_5_au_3_b, + benchmark.nist_800_53_rev_5_au_3_c, + benchmark.nist_800_53_rev_5_au_3_d, + benchmark.nist_800_53_rev_5_au_3_e, + benchmark.nist_800_53_rev_5_au_3_f + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_3_a" { + title = "AU-3(a)" + description = "Ensure that audit records contain information that establishes the following: a. What type of event occurred." + children = [ + control.apigateway_stage_logging_enabled, + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.elb_application_classic_lb_logging_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_3_b" { + title = "AU-3(b)" + description = "Ensure that audit records contain information that establishes the following: b. When the event occurred." + children = [ + control.apigateway_stage_logging_enabled, + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.elb_application_classic_lb_logging_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_3_c" { + title = "AU-3(c)" + description = "Ensure that audit records contain information that establishes the following: c. Where the event occurred." + children = [ + control.apigateway_stage_logging_enabled, + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.elb_application_classic_lb_logging_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_3_d" { + title = "AU-3(d)" + description = "Ensure that audit records contain information that establishes the following: d. Source of the event." + children = [ + control.apigateway_stage_logging_enabled, + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.elb_application_classic_lb_logging_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_3_e" { + title = "AU-3(e)" + description = "Ensure that audit records contain information that establishes the following: e. Outcome of the event." + children = [ + control.apigateway_stage_logging_enabled, + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.elb_application_classic_lb_logging_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_3_f" { + title = "AU-3(f)" + description = "Ensure that audit records contain information that establishes the following: e. Outcome of the event." + children = [ + control.apigateway_stage_logging_enabled, + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.elb_application_classic_lb_logging_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.wafv2_web_acl_logging_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_3_1" { + title = "AU-3(1) Additional Audit Information" + description = "Generate audit records containing the following additional information: [Assignment: organization-defined additional information]." + children = [ + control.cloudtrail_trail_enabled, + control.guardduty_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_4" { + title = "Audit Log Stprage Capacity (AU-4)" + description = "Allocate audit log storage capacity to accommodate [Assignment: organization-defined audit log retention requirements]." + children = [ + benchmark.nist_800_53_rev_5_au_4_1 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_4_1" { + title = "AU-4(1) Transfer To Alternate Storage" + description = "Transfer audit logs [Assignment: organization-defined frequency] to a different system, system component, or media other than the system or system component conducting the logging." + children = [ + control.cloudtrail_trail_integrated_with_logs + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_6" { + title = "Audit Record Review, Analysis And Reporting (AU-6)" + description = "Integrate audit review, analysis, and reporting with processes for investigation and response to suspicious activities." + children = [ + benchmark.nist_800_53_rev_5_au_6_1, + benchmark.nist_800_53_rev_5_au_6_3, + benchmark.nist_800_53_rev_5_au_6_4, + benchmark.nist_800_53_rev_5_au_6_5, + benchmark.nist_800_53_rev_5_au_6_6, + benchmark.nist_800_53_rev_5_au_6_9 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_6_1" { + title = "AU-6(1) Automated Process Integration" + description = "Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated mechanisms]." + children = [ + control.cloudtrail_trail_integrated_with_logs, + control.cloudwatch_alarm_action_enabled, + control.guardduty_enabled, + control.securityhub_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_6_3" { + title = "AU-6(3) Correlate Audit Record Repositories" + description = "Analyze and correlate audit records across different repositories to gain organization-wide situational awareness." + children = [ + control.apigateway_stage_logging_enabled, + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudwatch_log_group_retention_period_365, + control.elb_application_classic_lb_logging_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_6_4" { + title = "AU-6(4) Central Review And Analysis" + description = "Provide and implement the capability to centrally review and analyze audit records from multiple components within the system." + children = [ + control.apigateway_stage_logging_enabled, + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudwatch_log_group_retention_period_365, + control.elb_application_classic_lb_logging_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_6_5" { + title = "AU-6(5) Central Review And Analysis" + description = "Integrate analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity." + children = [ + control.cloudtrail_trail_integrated_with_logs, + control.cloudwatch_alarm_action_enabled, + control.guardduty_enabled, + control.securityhub_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_6_6" { + title = "AU-6(6) Correletion With Physical Monitoring" + description = "Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity." + children = [ + control.apigateway_stage_logging_enabled, + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudwatch_log_group_retention_period_365, + control.elb_application_classic_lb_logging_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_6_9" { + title = "AU-6(9) Correletion With From Nontechnical Sources" + description = "Correlate information from nontechnical sources with audit record information to enhance organization-wide situational awareness." + children = [ + control.apigateway_stage_logging_enabled, + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudwatch_log_group_retention_period_365, + control.elb_application_classic_lb_logging_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_7" { + title = "Audit Record Reduction And Report Generation (AU-7)" + description = "Support for real-time audit review, analysis, and reporting requirements without altering original audit records." + children = [ + benchmark.nist_800_53_rev_5_au_7_1 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_7_1" { + title = "AU-7(1) Automatic Processing" + description = "Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: [Assignment: organization-defined fields within audit records]." + children = [ + control.cloudtrail_trail_integrated_with_logs + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_8" { + title = "Time Stamps (AU-8)" + description = "Use internal system clocks to generate time stamps for audit records." + children = [ + benchmark.nist_800_53_rev_5_au_8_b + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_8_b" { + title = "AU-8(b)" + description = "Record time stamps for audit records that meet [Assignment: organization-defined granularity of time measurement] and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp." + children = [ + control.apigateway_stage_logging_enabled, + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.elb_application_classic_lb_logging_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_9" { + title = "Protection of Audit Information (AU-9)" + description = "Protect audit information & tools from unauthorized access, modification & deletion." + children = [ + benchmark.nist_800_53_rev_5_au_9_2, + benchmark.nist_800_53_rev_5_au_9_3, + benchmark.nist_800_53_rev_5_au_9_7, + benchmark.nist_800_53_rev_5_au_9_a + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_9_a" { + title = "AU-9(a)" + description = "Protect audit information and audit logging tools from unauthorized access, modification, and deletion." + children = [ + control.cloudtrail_trail_validation_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_9_2" { + title = "AU-9(2) Store On Separate Physical Systems Or Components" + description = "Store audit records [Assignment: organization-defined frequency] in a repository that is part of a physically different system or system component than the system or component being audited." + children = [ + control.s3_bucket_cross_region_replication_enabled, + control.s3_bucket_versioning_enabled + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/S3" + }) +} + +benchmark "nist_800_53_rev_5_au_9_3" { + title = "AU-9(3) Cryptographic Protection" + description = "Implement cryptographic mechanisms to protect the integrity of audit information and audit tools." + children = [ + control.apigateway_rest_api_stage_use_ssl_certificate, + control.apigateway_stage_cache_encryption_at_rest_enabled, + control.cloudtrail_trail_logs_encrypted_with_kms_cmk, + control.dynamodb_table_encrypted_with_kms_cmk, + control.ebs_volume_encryption_at_rest_enabled, + control.ec2_ebs_default_encryption_enabled, + control.efs_file_system_encrypt_data_at_rest, + control.elb_application_lb_redirect_http_request_to_https, + control.elb_classic_lb_use_ssl_certificate, + control.elb_classic_lb_use_tls_https_listeners, + control.es_domain_encryption_at_rest_enabled, + control.es_domain_node_to_node_encryption_enabled, + control.log_group_encryption_at_rest_enabled, + control.rds_db_instance_encryption_at_rest_enabled, + control.rds_db_snapshot_encrypted_at_rest, + control.redshift_cluster_encryption_in_transit_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.redshift_cluster_kms_enabled, + control.s3_bucket_default_encryption_enabled_kms, + control.s3_bucket_enforces_ssl, + control.sagemaker_endpoint_configuration_encryption_at_rest_enabled, + control.sagemaker_notebook_instance_encryption_at_rest_enabled, + control.secretsmanager_secret_encrypted_with_kms_cmk, + control.sns_topic_encrypted_at_rest + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_9_7" { + title = "AU-9(7) Store On Component With Different Operation Systems" + description = "Store audit information on a component running a different operating system than the system or component being audited." + children = [ + control.cloudtrail_trail_integrated_with_logs + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_10" { + title = "Non-Repudiation (AU-10)" + description = "Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed [Assignment: organization-defined actions to be covered by non-repudiation]." + children = [ + control.apigateway_stage_logging_enabled, + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudwatch_log_group_retention_period_365, + control.elb_application_classic_lb_logging_enabled, + control.es_domain_logs_to_cloudwatch, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.wafv2_web_acl_logging_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_11" { + title = "Audit Record Retention (AU-11)" + description = "Retain audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements." + children = [ + benchmark.nist_800_53_rev_5_au_11_1, + control.cloudwatch_log_group_retention_period_365 + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/CloudWatch" + }) +} + + +benchmark "nist_800_53_rev_5_au_11_1" { + title = "AU-11(1) Long-Term Retrieval Capability" + description = "Employ [Assignment: organization-defined measures] to ensure that long-term audit records generated by the system can be retrieved." + children = [ + control.cloudwatch_log_group_retention_period_365 + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/CloudWatch" + }) +} + +benchmark "nist_800_53_rev_5_au_12" { + title = "Audit Record Generation (AU-12)" + description = "Audit events defined in AU-2. Allow trusted personnel to select which events to audit. Generate audit records for events." + children = [ + benchmark.nist_800_53_rev_5_au_12_1, + benchmark.nist_800_53_rev_5_au_12_2, + benchmark.nist_800_53_rev_5_au_12_3, + benchmark.nist_800_53_rev_5_au_12_4, + benchmark.nist_800_53_rev_5_au_12_a, + benchmark.nist_800_53_rev_5_au_12_c + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_12_a" { + title = "AU-12(a)" + description = "Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on [Assignment: organization-defined system components]." + children = [ + control.apigateway_stage_logging_enabled, + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.elb_application_classic_lb_logging_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_12_c" { + title = "AU-12(c)" + description = "Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3." + children = [ + control.apigateway_stage_logging_enabled, + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.elb_application_classic_lb_logging_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_12_1" { + title = "AU-12(1) System-Wide And Time-Correlated Audit Trial" + description = "Compile audit records from [Assignment: organization-defined system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail]." + children = [ + control.apigateway_stage_logging_enabled, + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudwatch_log_group_retention_period_365, + control.elb_application_classic_lb_logging_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_12_2" { + title = "AU-12(2) Standardized Formats" + description = "Produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format." + children = [ + control.apigateway_stage_logging_enabled, + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudwatch_log_group_retention_period_365, + control.elb_application_classic_lb_logging_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_12_3" { + title = "AU-12(3) Changes By Authorized Individuals" + description = "Provide and implement the capability for [Assignment: organization-defined individuals or roles] to change the logging to be performed on [Assignment: organization-defined system components] based on [Assignment: organization-defined selectable event criteria] within [Assignment: organization-defined time thresholds]." + children = [ + control.apigateway_stage_logging_enabled, + control.autoscaling_group_with_lb_use_health_check, + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudwatch_alarm_action_enabled, + control.cloudwatch_log_group_retention_period_365, + control.elastic_beanstalk_enhanced_health_reporting_enabled, + control.elb_application_classic_lb_logging_enabled, + control.guardduty_enabled, + control.lambda_function_concurrent_execution_limit_configured, + control.lambda_function_dead_letter_queue_configured, + control.rds_db_instance_and_cluster_enhanced_monitoring_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.securityhub_enabled, + control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_12_4" { + title = "AU-12(4) Query Parameter Audits Of Personally Identifiable Information" + description = "Provide and implement the capability for auditing the parameters of user query events for data sets containing personally identifiable information." + children = [ + control.apigateway_stage_logging_enabled, + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.elb_application_classic_lb_logging_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_14" { + title = "Session Audit (AU-14)" + description = "Capture, record and log user sessions. Remotely view all content related to a user session that starts at system start-up." + children = [ + benchmark.nist_800_53_rev_5_au_14_3, + benchmark.nist_800_53_rev_5_au_14_a, + benchmark.nist_800_53_rev_5_au_14_b + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_14_a" { + title = "AU-14(a)" + description = "Provide and implement the capability for [Assignment: organization-defined users or roles] to [Selection (one or more): record; view; hear; log] the content of a user session under [Assignment: organization-defined circumstances]." + children = [ + control.apigateway_stage_logging_enabled, + control.autoscaling_group_with_lb_use_health_check, + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudwatch_alarm_action_enabled, + control.cloudwatch_log_group_retention_period_365, + control.elastic_beanstalk_enhanced_health_reporting_enabled, + control.elb_application_classic_lb_logging_enabled, + control.guardduty_enabled, + control.lambda_function_concurrent_execution_limit_configured, + control.lambda_function_dead_letter_queue_configured, + control.rds_db_instance_and_cluster_enhanced_monitoring_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.securityhub_enabled, + control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_14_b" { + title = "AU-14(b)" + description = "Develop, integrate, and use session auditing activities in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." + children = [ + control.apigateway_stage_logging_enabled, + control.autoscaling_group_with_lb_use_health_check, + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudwatch_alarm_action_enabled, + control.cloudwatch_log_group_retention_period_365, + control.elastic_beanstalk_enhanced_health_reporting_enabled, + control.elb_application_classic_lb_logging_enabled, + control.guardduty_enabled, + control.lambda_function_concurrent_execution_limit_configured, + control.lambda_function_dead_letter_queue_configured, + control.rds_db_instance_and_cluster_enhanced_monitoring_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.securityhub_enabled, + control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_14_3" { + title = "AU-14(3) Remote Viewing And Listening" + description = "Provide and implement the capability for authorized users to remotely view and hear content related to an established user session in real time." + children = [ + control.apigateway_stage_logging_enabled, + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.elb_application_classic_lb_logging_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_16" { + title = "Cross-Organizational Audit Logging (AU-16)" + description = "Employ [Assignment: organization-defined methods] for coordinating [Assignment: organization-defined audit information] among external organizations when audit information is transmitted across organizational boundaries." + children = [ + control.cloudtrail_trail_integrated_with_logs + ] + + tags = local.nist_800_53_rev_5_common_tags +} \ No newline at end of file diff --git a/nist_800_53_rev_5/ca.sp b/nist_800_53_rev_5/ca.sp new file mode 100644 index 00000000..b552e162 --- /dev/null +++ b/nist_800_53_rev_5/ca.sp @@ -0,0 +1,142 @@ +benchmark "nist_800_53_rev_5_ca" { + title = "Assessment, Authorization, And Monitoring (CA)" + description = "The Security Assessment and Authorization control family includes controls that supplement the execution of security assessments, authorizations, continuous monitoring, plan of actions and milestones, and system interconnections." + children = [ + benchmark.nist_800_53_rev_5_ca_2, + benchmark.nist_800_53_rev_5_ca_7, + benchmark.nist_800_53_rev_5_ca_9 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ca_2" { + title = "Control Assessments (CA-2)" + description = "Assess security controls to determine effectiveness and produce security reports, documentation, and graphs." + children = [ + benchmark.nist_800_53_rev_5_ca_2_2, + benchmark.nist_800_53_rev_5_ca_2_d + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ca_2_2" { + title = "CA-2(2) Specialized Assessments" + description = "Include as part of control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious user testing; insider threat assessment; performance and load testing; data leakage or data loss assessment; [Assignment: organization-defined other forms of assessment]]." + children = [ + control.autoscaling_group_with_lb_use_health_check, + control.cloudwatch_alarm_action_enabled, + control.elastic_beanstalk_enhanced_health_reporting_enabled, + control.lambda_function_dead_letter_queue_configured, + control.rds_db_instance_and_cluster_enhanced_monitoring_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ca_2_d" { + title = "CA-2(d)" + description = "Assess the controls in the system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements." + children = [ + control.guardduty_enabled, + control.securityhub_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ca_7" { + title = "Continuous Monitoring (CA-7)" + description = "Continuously monitor configuration management processes. Determine security impact, environment and operational risks." + children = [ + benchmark.nist_800_53_rev_5_ca_7_4, + benchmark.nist_800_53_rev_5_ca_7_b, + control.autoscaling_group_with_lb_use_health_check, + control.cloudwatch_alarm_action_enabled, + control.elastic_beanstalk_enhanced_health_reporting_enabled, + control.guardduty_enabled, + control.lambda_function_concurrent_execution_limit_configured, + control.lambda_function_dead_letter_queue_configured, + control.rds_db_instance_and_cluster_enhanced_monitoring_enabled, + control.securityhub_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ca_7_b" { + title = "CA-7(b)" + description = "Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness." + children = [ + control.apigateway_stage_logging_enabled, + control.autoscaling_group_with_lb_use_health_check, + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudwatch_alarm_action_enabled, + control.cloudwatch_log_group_retention_period_365, + control.elastic_beanstalk_enhanced_health_reporting_enabled, + control.elb_application_classic_lb_logging_enabled, + control.guardduty_enabled, + control.lambda_function_concurrent_execution_limit_configured, + control.lambda_function_dead_letter_queue_configured, + control.rds_db_instance_and_cluster_enhanced_monitoring_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.securityhub_enabled, + control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ca_7_4" { + title = "CA-7(4) Risk Monitoring" + description = "Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following: a. Effectiveness monitoring; b. Compliance monitoring; and c. Change monitoring." + children = [ + benchmark.nist_800_53_rev_5_ca_7_4_c + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ca_7_4_c" { + title = "CA-7(4)(c)" + description = "Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following: (c) Change monitoring." + children = [ + control.elb_application_lb_deletion_protection_enabled, + control.rds_db_instance_deletion_protection_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ca_9" { + title = "Internal System Connections (CA-9)" + description = "a. Authorize internal connections of [Assignment: organization-defined system components or classes of components] to the system; b. Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated; c. Terminate internal system connections after [Assignment: organization-defined conditions]; and d. Review [Assignment: organization-defined frequency] the continued need for each internal connection." + children = [ + benchmark.nist_800_53_rev_5_ca_9_b + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ca_9_b" { + title = "CA-9(b)" + description = "Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated." + children = [ + control.apigateway_rest_api_stage_use_ssl_certificate, + control.elb_application_lb_redirect_http_request_to_https, + control.elb_classic_lb_use_ssl_certificate, + control.elb_classic_lb_use_tls_https_listeners, + control.es_domain_node_to_node_encryption_enabled, + control.redshift_cluster_encryption_in_transit_enabled, + control.s3_bucket_enforces_ssl + ] + + tags = local.nist_800_53_rev_5_common_tags +} \ No newline at end of file diff --git a/nist_800_53_rev_5/cm.sp b/nist_800_53_rev_5/cm.sp new file mode 100644 index 00000000..85ae02a4 --- /dev/null +++ b/nist_800_53_rev_5/cm.sp @@ -0,0 +1,528 @@ +benchmark "nist_800_53_rev_5_cm" { + title = "Configuration Management (CM)" + description = "CM controls are specific to an organization’s configuration management policies. This includes a baseline configuration to operate as the basis for future builds or changes to information systems. Additionally, this includes information system component inventories and a security impact analysis control." + children = [ + benchmark.nist_800_53_rev_5_cm_2, + benchmark.nist_800_53_rev_5_cm_3, + benchmark.nist_800_53_rev_5_cm_5, + benchmark.nist_800_53_rev_5_cm_6, + benchmark.nist_800_53_rev_5_cm_7, + benchmark.nist_800_53_rev_5_cm_8, + benchmark.nist_800_53_rev_5_cm_9, + benchmark.nist_800_53_rev_5_cm_12 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_2" { + title = "Baseline Configuration (CM-2)" + description = "The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system." + children = [ + benchmark.nist_800_53_rev_5_cm_2_2, + benchmark.nist_800_53_rev_5_cm_2_a, + benchmark.nist_800_53_rev_5_cm_2_b + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_2_a" { + title = "CM-2(a)" + description = "Develop, document, and maintain under configuration control, a current baseline configuration of the system." + children = [ + control.ebs_volume_unsued, + control.ec2_instance_ssm_managed, + control.ec2_stopped_instance_30_days, + control.elb_application_lb_deletion_protection_enabled, + control.ssm_managed_instance_compliance_association_compliant, + control.vpc_security_group_restrict_ingress_common_ports_all + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_2_b" { + title = "CM-2(b)" + description = "Review and update the baseline configuration of the system: 1. [Assignment: organization-defined frequency]; 2. When required due to [Assignment: organization-defined circumstances]; and 3. When system components are installed or upgraded." + children = [ + benchmark.nist_800_53_rev_5_cm_2_b_1, + benchmark.nist_800_53_rev_5_cm_2_b_2, + benchmark.nist_800_53_rev_5_cm_2_b_3, + control.account_part_of_organizations, + control.ebs_volume_unsued, + control.ec2_instance_ssm_managed, + control.ec2_stopped_instance_30_days, + control.redshift_cluster_maintenance_settings_check, + control.ssm_managed_instance_compliance_association_compliant + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_2_b_1" { + title = "CM-2(b)(1)" + description = "Review and update the baseline configuration of the system: 1. [Assignment: organization-defined frequency]." + children = [ + control.account_part_of_organizations, + control.ebs_volume_unsued, + control.ec2_instance_ssm_managed, + control.ec2_stopped_instance_30_days, + control.redshift_cluster_maintenance_settings_check, + control.ssm_managed_instance_compliance_association_compliant + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_2_b_2" { + title = "CM-2(b)(2)" + description = "Review and update the baseline configuration of the system: 2. When required due to [Assignment: organization-defined circumstances]." + children = [ + control.account_part_of_organizations, + control.ebs_volume_unsued, + control.ec2_instance_ssm_managed, + control.ec2_stopped_instance_30_days, + control.redshift_cluster_maintenance_settings_check, + control.ssm_managed_instance_compliance_association_compliant + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_2_b_3" { + title = "CM-2(b)(3)" + description = "Review and update the baseline configuration of the system: 3 When system components are installed or upgraded." + children = [ + control.account_part_of_organizations, + control.ebs_volume_unsued, + control.ec2_instance_ssm_managed, + control.ec2_stopped_instance_30_days, + control.redshift_cluster_maintenance_settings_check, + control.ssm_managed_instance_compliance_association_compliant + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_2_2" { + title = "CM-2(2) Automation Support For AccuracyY And Currency" + description = "Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using [Assignment: organization-defined automated mechanisms]." + children = [ + control.ebs_volume_unsued, + control.ec2_instance_ssm_managed, + control.ec2_stopped_instance_30_days, + control.elb_application_lb_deletion_protection_enabled, + control.ssm_managed_instance_compliance_association_compliant, + control.vpc_security_group_restrict_ingress_common_ports_all + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_3" { + title = "Configuration Change Control (CM-3)" + description = "The organization authorizes, documents, and controls changes to the information system." + children = [ + benchmark.nist_800_53_rev_5_cm_3_3, + benchmark.nist_800_53_rev_5_cm_3_a + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_3_a" { + title = "CM-3(a)" + description = "Determine and document the types of changes to the system that are configuration-controlled." + children = [ + control.elb_application_lb_deletion_protection_enabled, + control.rds_db_instance_deletion_protection_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_3_3" { + title = "CM-3(3) Automated Change Implementation" + description = "Implement changes to the current system baseline and deploy the updated baseline across the installed base using [Assignment: organization-defined automated mechanisms]." + children = [ + control.account_part_of_organizations, + control.ebs_volume_unsued, + control.ec2_instance_ssm_managed, + control.ec2_stopped_instance_30_days, + control.redshift_cluster_maintenance_settings_check, + control.ssm_managed_instance_compliance_association_compliant + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_5" { + title = "Access Restrictions For Change (CM-5)" + description = "Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system." + children = [ + benchmark.nist_800_53_rev_5_cm_5_1 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_5_1" { + title = "CM-5(1) Automated Access Enforcement And Audit Records" + description = "a. Enforce access restrictions using [Assignment: organization-defined automated mechanisms]; and b. Automatically generate audit records of the enforcement actions." + children = [ + benchmark.nist_800_53_rev_5_cm_5_1_a, + benchmark.nist_800_53_rev_5_cm_5_1_b + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_5_1_a" { + title = "CM-5(1)(a)" + description = "Enforce access restrictions using [Assignment: organization-defined automated mechanisms]." + children = [ + control.ec2_instance_iam_profile_attached, + control.ec2_instance_uses_imdsv2, + control.ecs_task_definition_user_for_host_mode_check, + control.iam_account_password_policy_min_length_14, + control.iam_all_policy_no_service_wild_card, + control.iam_group_user_role_no_inline_policies, + control.iam_policy_no_star_star, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_no_access_keys, + control.iam_user_access_key_age_90, + control.iam_user_console_access_mfa_enabled, + control.iam_user_in_group, + control.iam_user_mfa_enabled, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.secretsmanager_secret_automatic_rotation_enabled, + control.secretsmanager_secret_rotated_as_scheduled, + control.secretsmanager_secret_unused_90_day + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_5_1_b" { + title = "CM-5(1)(b)" + description = "Automatically generate audit records of the enforcement actions." + children = [ + control.apigateway_stage_logging_enabled, + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.elb_application_classic_lb_logging_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_6" { + title = "Configuration Settings (CM-6)" + description = "The organization: (i) establishes mandatory configuration settings for information technology products employed within the information system; (ii) configures the security settings of information technology products to the most restrictive mode consistent with operational requirements; (iii) documents the configuration settings; and (iv) enforces the configuration settings in all components of the information system." + children = [ + benchmark.nist_800_53_rev_5_cm_6_a, + control.ec2_instance_ssm_managed, + control.ssm_managed_instance_compliance_association_compliant + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_6_a" { + title = "CM-6(a)" + description = "Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: organization-defined common secure configurations]." + children = [ + control.account_part_of_organizations, + control.autoscaling_group_with_lb_use_health_check, + control.autoscaling_launch_config_public_ip_disabled, + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudtrail_trail_logs_encrypted_with_kms_cmk, + control.cloudtrail_trail_validation_enabled, + control.ebs_attached_volume_encryption_enabled, + control.ec2_ebs_default_encryption_enabled, + control.ec2_instance_iam_profile_attached, + control.iam_account_password_policy_min_length_14, + control.iam_group_user_role_no_inline_policies, + control.iam_policy_no_star_star, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.iam_root_user_no_access_keys, + control.iam_user_access_key_age_90, + control.iam_user_console_access_mfa_enabled, + control.iam_user_in_group, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.kms_cmk_rotation_enabled, + control.s3_bucket_cross_region_replication_enabled, + control.s3_bucket_default_encryption_enabled, + control.s3_bucket_enforces_ssl, + control.s3_bucket_logging_enabled, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.vpc_default_security_group_restricts_all_traffic, + control.vpc_flow_logs_enabled, + control.vpc_security_group_restrict_ingress_common_ports_all + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_7" { + title = "Least Functionality (CM-7)" + description = "The organization configures the information system to provide only essential capabilities and prohibits or restricts the use of the functions, ports, protocols, and/or services." + children = [ + benchmark.nist_800_53_rev_5_cm_7_b + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_7_b" { + title = "CM-7(b)" + description = "Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services]." + children = [ + control.vpc_route_table_restrict_public_access_to_igw, + control.vpc_security_group_restrict_ingress_common_ports_all + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_8" { + title = "System Component Inventory (CM-8)" + description = "The organization develops and documents an inventory of information system components that accurately reflects the current information system, includes all components within the authorization boundary of the information system, is at the level of granularity deemed necessary for tracking and reporting and reviews and updates the information system component inventory." + children = [ + benchmark.nist_800_53_rev_5_cm_8_1, + benchmark.nist_800_53_rev_5_cm_8_2, + benchmark.nist_800_53_rev_5_cm_8_3, + benchmark.nist_800_53_rev_5_cm_8_6, + benchmark.nist_800_53_rev_5_cm_8_a, + benchmark.nist_800_53_rev_5_cm_8_b + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_8_a" { + title = "CM-8(a)" + description = "Develop and document an inventory of system components that: 1. Accurately reflects the system; 2. Includes all components within the system; 3. Does not include duplicate accounting of components or components assigned to any other system; 4. Is at the level of granularity deemed necessary for tracking and reporting; and 5. Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability]." + children = [ + benchmark.nist_800_53_rev_5_cm_8_a_1, + benchmark.nist_800_53_rev_5_cm_8_a_2, + benchmark.nist_800_53_rev_5_cm_8_a_3, + benchmark.nist_800_53_rev_5_cm_8_a_4, + benchmark.nist_800_53_rev_5_cm_8_a_5, + control.ec2_instance_ssm_managed, + control.ssm_managed_instance_compliance_association_compliant + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_8_a_1" { + title = "CM-8(a)(1)" + description = "Develop and document an inventory of system components that: 1. Accurately reflects the system." + children = [ + control.ec2_instance_ssm_managed, + control.ssm_managed_instance_compliance_association_compliant + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_8_a_2" { + title = "CM-8(a)(2)" + description = "Develop and document an inventory of system components that: 2. Includes all components within the system." + children = [ + control.ec2_instance_ssm_managed, + control.ssm_managed_instance_compliance_association_compliant + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_8_a_3" { + title = "CM-8(a)(3)" + description = "Develop and document an inventory of system components that: 3. Does not include duplicate accounting of components or components assigned to any other system." + children = [ + control.ec2_instance_ssm_managed, + control.ssm_managed_instance_compliance_association_compliant + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_8_a_4" { + title = "CM-8(a)(4)" + description = "Develop and document an inventory of system components that: 4. Is at the level of granularity deemed necessary for tracking and reporting." + children = [ + control.ec2_instance_ssm_managed, + control.ssm_managed_instance_compliance_association_compliant + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_8_a_5" { + title = "CM-8(a)(5)" + description = "Develop and document an inventory of system components that: 5. Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability]." + children = [ + control.ec2_instance_ssm_managed, + control.ssm_managed_instance_compliance_association_compliant, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_8_b" { + title = "CM-8(b)" + description = "Review and update the system component inventory [Assignment: organization-defined frequency]." + children = [ + control.ec2_instance_ssm_managed, + control.ssm_managed_instance_compliance_association_compliant + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_8_1" { + title = "CM-8(1) Updates During Installation And Removals" + description = "Update the inventory of system components as part of component installations, removals, and system updates." + children = [ + control.ec2_instance_ssm_managed, + control.ssm_managed_instance_compliance_association_compliant + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_8_2" { + title = "CM-8(2) Automated Maintenance" + description = "Maintain the currency, completeness, accuracy, and availability of the inventory of system components using [Assignment: organization-defined automated mechanisms]." + children = [ + control.ec2_instance_ssm_managed + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_8_3" { + title = "CM-8(3) Automated Unauthorized Component Detection" + description = "The organization: Employs automated mechanisms [Assignment: organization-defined frequency] to detect the presence of unauthorized hardware, software, and firmware components within the information system; and Takes the following actions when unauthorized components are detected: [Selection (one or more): disables network access by such components; isolates the components; notifies [Assignment: organization-defined personnel or roles]]." + children = [ + benchmark.nist_800_53_rev_5_cm_8_3_a + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_8_3_a" { + title = "CM-8(3)(a)" + description = "Detect the presence of unauthorized hardware, software, and firmware components within the system using [Assignment: organization-defined automated mechanisms] [Assignment: organization-defined frequency]." + children = [ + control.ec2_instance_ssm_managed, + control.guardduty_enabled, + control.ssm_managed_instance_compliance_association_compliant, + control.ssm_managed_instance_compliance_patch_compliant + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_8_6" { + title = "CM-8(6) Assessed Configurations And Approved Deviations" + description = "Include assessed component configurations and any approved deviations to current deployed configurations in the system component inventory." + children = [ + control.ebs_volume_unsued, + control.ec2_instance_ssm_managed, + control.ec2_stopped_instance_30_days, + control.elb_application_lb_deletion_protection_enabled, + control.ssm_managed_instance_compliance_association_compliant, + control.vpc_security_group_restrict_ingress_common_ports_all + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_9" { + title = "Configuration Management Plan (CM-9)" + description = "Develop, document, and implement a configuration management plan for the system that: a. Addresses roles, responsibilities, and configuration management processes and procedures; b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items; c. Defines the configuration items for the system and places the configuration items under configuration management; d. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; and e. Protects the configuration management plan from unauthorized disclosure and modification." + children = [ + benchmark.nist_800_53_rev_5_cm_9_b + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_9_b" { + title = "CM-9(b)" + description = "Develop, document, and implement a configuration management plan for the system that: b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items." + children = [ + control.account_part_of_organizations, + control.autoscaling_group_with_lb_use_health_check, + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudtrail_trail_logs_encrypted_with_kms_cmk, + control.cloudtrail_trail_validation_enabled, + control.ebs_attached_volume_encryption_enabled, + control.ec2_ebs_default_encryption_enabled, + control.iam_account_password_policy_min_length_14, + control.iam_group_user_role_no_inline_policies, + control.iam_policy_no_star_star, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.iam_root_user_no_access_keys, + control.iam_user_access_key_age_90, + control.iam_user_console_access_mfa_enabled, + control.iam_user_in_group, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.kms_cmk_rotation_enabled, + control.s3_bucket_cross_region_replication_enabled, + control.s3_bucket_default_encryption_enabled, + control.s3_bucket_enforces_ssl, + control.s3_bucket_logging_enabled, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.vpc_default_security_group_restricts_all_traffic, + control.vpc_flow_logs_enabled, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.vpc_security_group_restrict_ingress_ssh_all + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_12" { + title = "Information Location (CM-12)" + description = "a. Identify and document the location of [Assignment: organization-defined information] and the specific system components on which the information is processed and stored; b. Identify and document the users who have access to the system and system components where the information is processed and stored; and c. Document changes to the location (i.e., system or system components) where the information is processed and stored." + children = [ + benchmark.nist_800_53_rev_5_cm_12_b + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_12_b" { + title = "CM-12(b)" + description = "Identify and document the users who have access to the system and system components where the information is processed and stored." + children = [ + control.iam_account_password_policy_min_length_14 + ] + + tags = local.nist_800_53_rev_5_common_tags +} \ No newline at end of file diff --git a/nist_800_53_rev_5/cp.sp b/nist_800_53_rev_5/cp.sp new file mode 100644 index 00000000..fd048f8e --- /dev/null +++ b/nist_800_53_rev_5/cp.sp @@ -0,0 +1,445 @@ +benchmark "nist_800_53_rev_5_cp" { + title = "Contingency Planning (CP)" + description = "The CP control family includes controls specific to an organization's contingency plan if a cybersecurity event should occur. This includes controls like contingency plan testing, updating, training, and backups, and system reconstitution." + children = [ + benchmark.nist_800_53_rev_5_cp_1, + benchmark.nist_800_53_rev_5_cp_2, + benchmark.nist_800_53_rev_5_cp_6, + benchmark.nist_800_53_rev_5_cp_9, + benchmark.nist_800_53_rev_5_cp_10 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cp_1" { + title = "Policy And Procedures (CP-1)" + description = "a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] contingency planning policy that: a). Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b). Is consistent with applicable laws, executive orders, directives regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and c. Review and update the current contingency planning: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]." + children = [ + benchmark.nist_800_53_rev_5_cp_1_2, + benchmark.nist_800_53_rev_5_cp_1_a + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cp_1_a" { + title = "CP-1(a)" + description = "a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] contingency planning policy that: a). Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b). Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls." + children = [ + benchmark.nist_800_53_rev_5_cp_1_a_2, + benchmark.nist_800_53_rev_5_cp_1_a_1_b + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cp_1_a_1_b" { + title = "CP-1(a)(1)(b)" + description = "a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] contingency planning policy that: (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." + children = [ + control.dynamodb_table_auto_scaling_enabled, + control.elb_application_lb_deletion_protection_enabled, + control.elb_classic_lb_cross_zone_load_balancing_enabled, + control.rds_db_instance_deletion_protection_enabled, + control.rds_db_instance_multiple_az_enabled, + control.vpc_vpn_tunnel_up + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cp_1_a_2" { + title = "CP-1(a)(2)" + description = "a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 2. Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls." + children = [ + control.dynamodb_table_auto_scaling_enabled, + control.elb_application_lb_deletion_protection_enabled, + control.elb_classic_lb_cross_zone_load_balancing_enabled, + control.rds_db_instance_deletion_protection_enabled, + control.rds_db_instance_multiple_az_enabled, + control.vpc_vpn_tunnel_up + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cp_1_2" { + title = "CP-1(2)" + description = "Implement transaction recovery for systems that are transaction-based." + children = [ + control.dynamodb_table_in_backup_plan, + control.ebs_volume_in_backup_plan, + control.efs_file_system_in_backup_plan, + control.rds_db_instance_in_backup_plan, + control.redshift_cluster_automatic_snapshots_min_7_days, + control.rds_db_instance_backup_enabled, + control.dynamodb_table_point_in_time_recovery_enabled, + control.elasticache_redis_cluster_automatic_backup_retention_15_days, + control.s3_bucket_cross_region_replication_enabled, + control.s3_bucket_versioning_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cp_2" { + title = "Contingency Plan (CP-2)" + description = "a. Develop a contingency plan for the system that: 1. Identifies essential mission and business functions and associated contingency requirements; 2. Provides recovery objectives, restoration priorities, and metrics; b. Distribute copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; c. Coordinate contingency planning activities with incident handling activities; d. Review the contingency plan for the system [Assignment: organization-defined frequency]; e. Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; f. Communicate contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; g. Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and h. Protect the contingency plan from unauthorized disclosure and modification." + children = [ + benchmark.nist_800_53_rev_5_cp_2_a, + benchmark.nist_800_53_rev_5_cp_2_d, + benchmark.nist_800_53_rev_5_cp_2_e, + benchmark.nist_800_53_rev_5_cp_2_5, + benchmark.nist_800_53_rev_5_cp_2_6 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cp_2_a" { + title = "CP-2(a)" + description = "a. Develop a contingency plan for the system that: 1. Identifies essential mission and business functions and associated contingency requirements; 2. Provides recovery objectives, restoration priorities, and metrics; 3. Addresses contingency roles, responsibilities, assigned individuals with contact information; 4. Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure; 5. Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented; 6. Addresses the sharing of contingency information; and 7. Is reviewed and approved by [Assignment: organization-defined personnel or roles]." + children = [ + benchmark.nist_800_53_rev_5_cp_2_a_6, + benchmark.nist_800_53_rev_5_cp_2_a_7, + control.dynamodb_table_auto_scaling_enabled, + control.elb_application_lb_deletion_protection_enabled, + control.elb_classic_lb_cross_zone_load_balancing_enabled, + control.rds_db_instance_deletion_protection_enabled, + control.rds_db_instance_multiple_az_enabled, + control.vpc_vpn_tunnel_up + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cp_2_a_6" { + title = "CP-2(a)(6)" + description = "Develop a contingency plan for the system that: 6. Addresses the sharing of contingency information." + children = [ + control.dynamodb_table_auto_scaling_enabled, + control.elb_application_lb_deletion_protection_enabled, + control.elb_classic_lb_cross_zone_load_balancing_enabled, + control.rds_db_instance_deletion_protection_enabled, + control.rds_db_instance_multiple_az_enabled, + control.vpc_vpn_tunnel_up + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cp_2_a_7" { + title = "CP-2(a)(7)" + description = "Develop a contingency plan for the system that: 7. Is reviewed and approved by [Assignment: organization-defined personnel or roles]." + children = [ + control.dynamodb_table_auto_scaling_enabled, + control.elb_application_lb_deletion_protection_enabled, + control.elb_classic_lb_cross_zone_load_balancing_enabled, + control.rds_db_instance_deletion_protection_enabled, + control.rds_db_instance_multiple_az_enabled, + control.vpc_vpn_tunnel_up + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cp_2_d" { + title = "CP-2(d)" + description = "Review the contingency plan for the system [Assignment: organization-defined frequency]" + children = [ + control.dynamodb_table_auto_scaling_enabled, + control.elb_application_lb_deletion_protection_enabled, + control.elb_classic_lb_cross_zone_load_balancing_enabled, + control.rds_db_instance_deletion_protection_enabled, + control.rds_db_instance_multiple_az_enabled, + control.vpc_vpn_tunnel_up + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cp_2_e" { + title = "CP-2(e)" + description = "Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing." + children = [ + control.dynamodb_table_auto_scaling_enabled, + control.elb_application_lb_deletion_protection_enabled, + control.elb_classic_lb_cross_zone_load_balancing_enabled, + control.rds_db_instance_deletion_protection_enabled, + control.rds_db_instance_multiple_az_enabled, + control.vpc_vpn_tunnel_up + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cp_2_5" { + title = "CP-2(5) Continue Mission And Business Functions" + description = "Plan for the continuance of [Selection: all; essential] mission and business functions with minimal or no loss of operational continuity and sustains that continuity until full system restoration at primary processing and/or storage sites." + children = [ + control.dynamodb_table_auto_scaling_enabled, + control.dynamodb_table_in_backup_plan, + control.dynamodb_table_point_in_time_recovery_enabled, + control.ebs_volume_in_backup_plan, + control.ec2_instance_ebs_optimized, + control.efs_file_system_in_backup_plan, + control.elasticache_redis_cluster_automatic_backup_retention_15_days, + control.elb_application_lb_deletion_protection_enabled, + control.elb_classic_lb_cross_zone_load_balancing_enabled, + control.rds_db_instance_backup_enabled, + control.rds_db_instance_deletion_protection_enabled, + control.rds_db_instance_in_backup_plan, + control.rds_db_instance_multiple_az_enabled, + control.redshift_cluster_automatic_snapshots_min_7_days, + control.s3_bucket_cross_region_replication_enabled, + control.s3_bucket_versioning_enabled, + control.vpc_vpn_tunnel_up + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cp_2_6" { + title = "CP-2(6) Alternate Processing And Storage Sites" + description = "Plan for the transfer of [Selection: all; essential] mission and business functions to alternate processing and/or storage sites with minimal or no loss of operational continuity and sustain that continuity through system restoration to primary processing and/or storage sites." + children = [ + control.dynamodb_table_auto_scaling_enabled, + control.elb_classic_lb_cross_zone_load_balancing_enabled, + control.rds_db_instance_multiple_az_enabled, + control.vpc_vpn_tunnel_up + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cp_6" { + title = "Alternate Storage Sites (CP-6)" + description = "a. Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and b. Ensure that the alternate storage site provides controls equivalent to that of the primary site." + children = [ + benchmark.nist_800_53_rev_5_cp_6_1, + benchmark.nist_800_53_rev_5_cp_6_2, + benchmark.nist_800_53_rev_5_cp_6_a + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cp_6_a" { + title = "CP-6(a)" + description = "Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information." + children = [ + control.dynamodb_table_in_backup_plan, + control.ebs_volume_in_backup_plan, + control.efs_file_system_in_backup_plan, + control.elasticache_redis_cluster_automatic_backup_retention_15_days, + control.rds_db_instance_backup_enabled, + control.rds_db_instance_in_backup_plan, + control.redshift_cluster_automatic_snapshots_min_7_days, + control.s3_bucket_cross_region_replication_enabled, + control.s3_bucket_versioning_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cp_6_1" { + title = "CP-6(1) Separation From Primary Site" + description = "Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats." + children = [ + control.dynamodb_table_in_backup_plan, + control.ebs_volume_in_backup_plan, + control.efs_file_system_in_backup_plan, + control.elasticache_redis_cluster_automatic_backup_retention_15_days, + control.rds_db_instance_backup_enabled, + control.rds_db_instance_in_backup_plan, + control.redshift_cluster_automatic_snapshots_min_7_days, + control.s3_bucket_cross_region_replication_enabled, + control.s3_bucket_versioning_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cp_6_2" { + title = "CP-6(2) Recovery Time And Recovery Point Objectives" + description = "Configure the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives." + children = [ + control.dynamodb_table_auto_scaling_enabled, + control.dynamodb_table_in_backup_plan, + control.dynamodb_table_point_in_time_recovery_enabled, + control.ebs_volume_in_backup_plan, + control.efs_file_system_in_backup_plan, + control.elasticache_redis_cluster_automatic_backup_retention_15_days, + control.elb_classic_lb_cross_zone_load_balancing_enabled, + control.rds_db_instance_backup_enabled, + control.rds_db_instance_in_backup_plan, + control.rds_db_instance_multiple_az_enabled, + control.redshift_cluster_automatic_snapshots_min_7_days, + control.s3_bucket_cross_region_replication_enabled, + control.s3_bucket_versioning_enabled, + control.vpc_vpn_tunnel_up + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cp_9" { + title = "System Backup (CP-9)" + description = "a. Conduct backups of user-level information contained in [Assignment: organization-defined system components] [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; b. Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; c. Conduct backups of system documentation, including security- and privacy-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and d. Protect the confidentiality, integrity, and availability of backup information." + children = [ + benchmark.nist_800_53_rev_5_cp_9_8, + benchmark.nist_800_53_rev_5_cp_9_a, + benchmark.nist_800_53_rev_5_cp_9_b, + benchmark.nist_800_53_rev_5_cp_9_c, + benchmark.nist_800_53_rev_5_cp_9_d + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cp_9_a" { + title = "CP-9(a)" + description = "Conduct backups of user-level information contained in [Assignment: organization-defined system components] [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]." + children = [ + control.dynamodb_table_in_backup_plan, + control.dynamodb_table_point_in_time_recovery_enabled, + control.ebs_volume_in_backup_plan, + control.ec2_instance_ebs_optimized, + control.efs_file_system_in_backup_plan, + control.elasticache_redis_cluster_automatic_backup_retention_15_days, + control.rds_db_instance_backup_enabled, + control.rds_db_instance_in_backup_plan, + control.redshift_cluster_automatic_snapshots_min_7_days, + control.redshift_cluster_maintenance_settings_check, + control.s3_bucket_cross_region_replication_enabled, + control.s3_bucket_versioning_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cp_9_b" { + title = "CP-9(b)" + description = "Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]." + children = [ + control.dynamodb_table_in_backup_plan, + control.dynamodb_table_point_in_time_recovery_enabled, + control.ebs_volume_in_backup_plan, + control.ec2_instance_ebs_optimized, + control.efs_file_system_in_backup_plan, + control.elasticache_redis_cluster_automatic_backup_retention_15_days, + control.rds_db_instance_backup_enabled, + control.rds_db_instance_in_backup_plan, + control.redshift_cluster_automatic_snapshots_min_7_days, + control.redshift_cluster_maintenance_settings_check, + control.s3_bucket_cross_region_replication_enabled, + control.s3_bucket_versioning_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cp_9_c" { + title = "CP-9(c)" + description = "Conduct backups of system documentation, including security- and privacy-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]." + children = [ + control.dynamodb_table_in_backup_plan, + control.ebs_volume_in_backup_plan, + control.efs_file_system_in_backup_plan, + control.rds_db_instance_in_backup_plan, + control.redshift_cluster_automatic_snapshots_min_7_days, + control.rds_db_instance_backup_enabled, + control.dynamodb_table_point_in_time_recovery_enabled, + control.ec2_instance_ebs_optimized, + control.elasticache_redis_cluster_automatic_backup_retention_15_days, + control.redshift_cluster_maintenance_settings_check, + control.s3_bucket_cross_region_replication_enabled, + control.s3_bucket_versioning_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cp_9_d" { + title = "CP-9(d)" + description = "Protect the confidentiality, integrity, and availability of backup information." + children = [ + control.apigateway_stage_cache_encryption_at_rest_enabled, + control.cloudtrail_trail_logs_encrypted_with_kms_cmk, + control.dynamodb_table_in_backup_plan, + control.ebs_attached_volume_encryption_enabled, + control.ec2_ebs_default_encryption_enabled, + control.efs_file_system_encrypt_data_at_rest, + control.es_domain_encryption_at_rest_enabled, + control.log_group_encryption_at_rest_enabled, + control.rds_db_instance_encryption_at_rest_enabled, + control.rds_db_snapshot_encrypted_at_rest, + control.redshift_cluster_encryption_logging_enabled, + control.redshift_cluster_kms_enabled, + control.s3_bucket_default_encryption_enabled_kms, + control.s3_bucket_default_encryption_enabled, + control.sagemaker_endpoint_configuration_encryption_at_rest_enabled, + control.sagemaker_notebook_instance_encryption_at_rest_enabled, + control.secretsmanager_secret_encrypted_with_kms_cmk, + control.sns_topic_encrypted_at_rest + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cp_9_8" { + title = "CP-9(8) Cryptographic Protection" + description = "Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined backup information]." + children = [ + control.rds_db_snapshot_encrypted_at_rest, + control.s3_bucket_default_encryption_enabled, + control.s3_bucket_default_encryption_enabled_kms + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cp_10" { + title = "System Recovery And Reconstitution (CP-10)" + description = "Provide for the recovery and reconstitution of the system to a known state within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] after a disruption, compromise, or failure." + children = [ + benchmark.nist_800_53_rev_5_cp_10_2, + control.dynamodb_table_auto_scaling_enabled, + control.dynamodb_table_in_backup_plan, + control.dynamodb_table_point_in_time_recovery_enabled, + control.ebs_volume_in_backup_plan, + control.ec2_instance_ebs_optimized, + control.efs_file_system_in_backup_plan, + control.elasticache_redis_cluster_automatic_backup_retention_15_days, + control.elb_classic_lb_cross_zone_load_balancing_enabled, + control.rds_db_instance_backup_enabled, + control.rds_db_instance_in_backup_plan, + control.rds_db_instance_multiple_az_enabled, + control.redshift_cluster_automatic_snapshots_min_7_days, + control.s3_bucket_cross_region_replication_enabled, + control.s3_bucket_versioning_enabled, + control.vpc_vpn_tunnel_up + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cp_10_2" { + title = "CP-10(2) Transaction Recovery" + description = "Implement transaction recovery for systems that are transaction-based." + children = [ + control.dynamodb_table_in_backup_plan, + control.dynamodb_table_point_in_time_recovery_enabled, + control.ebs_volume_in_backup_plan, + control.efs_file_system_in_backup_plan, + control.elasticache_redis_cluster_automatic_backup_retention_15_days, + control.rds_db_instance_backup_enabled, + control.rds_db_instance_in_backup_plan, + control.redshift_cluster_automatic_snapshots_min_7_days, + control.s3_bucket_cross_region_replication_enabled, + control.s3_bucket_versioning_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} \ No newline at end of file diff --git a/nist_800_53_rev_5/docs/nist_800_53_rev_5_overview.md b/nist_800_53_rev_5/docs/nist_800_53_rev_5_overview.md new file mode 100644 index 00000000..26415035 --- /dev/null +++ b/nist_800_53_rev_5/docs/nist_800_53_rev_5_overview.md @@ -0,0 +1,8 @@ +To obtain the latest version of the official guide, please visit https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final. + +## Overview + +NIST 800-53 is a regulatory standard that defines the minimum baseline of +security controls for all U.S. federal information systems except those related +to national security. The controls defined in this standard are customizable +and address a diverse set of security and privacy requirements. diff --git a/nist_800_53_rev_5/ia.sp b/nist_800_53_rev_5/ia.sp new file mode 100644 index 00000000..4e7c2e1c --- /dev/null +++ b/nist_800_53_rev_5/ia.sp @@ -0,0 +1,436 @@ +benchmark "nist_800_53_rev_5_ia" { + title = "Identification and Authentication (IA)" + description = "IA controls are specific to the identification and authentication policies in an organization. This includes the identification and authentication of organizational and non-organizational users and how the management of those systems." + children = [ + benchmark.nist_800_53_rev_5_ia_2, + benchmark.nist_800_53_rev_5_ia_3, + benchmark.nist_800_53_rev_5_ia_4, + benchmark.nist_800_53_rev_5_ia_5, + benchmark.nist_800_53_rev_5_ia_8 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ia_2" { + title = "Identification and Authentication (Organizational users) (IA-2)" + description = "The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users)." + children = [ + benchmark.nist_800_53_rev_5_ia_2_1, + benchmark.nist_800_53_rev_5_ia_2_2, + benchmark.nist_800_53_rev_5_ia_2_6, + benchmark.nist_800_53_rev_5_ia_2_8, + control.iam_root_user_no_access_keys + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) +} + +benchmark "nist_800_53_rev_5_ia_2_1" { + title = "IA-2(1) Multi-Factor Authentication To Privileged Accounts" + description = "Implement multi-factor authentication for access to privileged accounts." + children = [ + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.iam_user_console_access_mfa_enabled, + control.iam_user_mfa_enabled + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) +} + +benchmark "nist_800_53_rev_5_ia_2_2" { + title = "IA-2(2) Multi-Factor Authentication To Non-Privileged Accounts" + description = "Implement multi-factor authentication for access to non-privileged accounts." + children = [ + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.iam_user_console_access_mfa_enabled, + control.iam_user_mfa_enabled + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) +} + +benchmark "nist_800_53_rev_5_ia_2_6" { + title = "IA-2(6) Acces To Accounts — Separate Device" + description = "Implement multi-factor authentication for [Selection (one or more): local; network; remote] access to [Selection (one or more): privileged accounts; non-privileged accounts] such that: (a) One of the factors is provided by a device separate from the system gaining access; and (b) The device meets [Assignment: organization-defined strength of mechanism requirements]." + children = [ + benchmark.nist_800_53_rev_5_ia_2_6_a, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.iam_user_console_access_mfa_enabled, + control.iam_user_mfa_enabled + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) +} + +benchmark "nist_800_53_rev_5_ia_2_6_a" { + title = "IA-2(6)(a)" + description = "Implement multi-factor authentication for [Selection (one or more): local; network; remote] access to [Selection (one or more): privileged accounts; non-privileged accounts] such that: (a) One of the factors is provided by a device separate from the system gaining access." + children = [ + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.iam_user_console_access_mfa_enabled, + control.iam_user_mfa_enabled + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) +} + +benchmark "nist_800_53_rev_5_ia_2_8" { + title = "IA-2(8) Access To Accounts — Replay Resistant" + description = "Implement replay-resistant authentication mechanisms for access to [Selection (one or more): privileged accounts; non-privileged accounts]." + children = [ + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.iam_user_console_access_mfa_enabled, + control.iam_user_mfa_enabled + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) +} + +benchmark "nist_800_53_rev_5_ia_3" { + title = "Device Identification And Authentication (IA-3)" + description = "Uniquely identify and authenticate [Assignment: organization-defined devices and/or types of devices] before establishing a [Selection (one or more): local; remote; network] connection." + children = [ + benchmark.nist_800_53_rev_5_ia_3_3 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ia_3_3" { + title = "IA-3(3) Dynamic Address Allocation" + description = "a. Where addresses are allocated dynamically, standardize dynamic address allocation lease information and the lease duration assigned to devices in accordance with [Assignment: organization-defined lease information and lease duration]; and b. Audit lease information when assigned to a device." + children = [ + benchmark.nist_800_53_rev_5_ia_3_3_b + + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ia_3_3_b" { + title = "IA-3(3)(b)" + description = "Audit lease information when assigned to a device." + children = [ + control.cloudtrail_multi_region_trail_enabled, + control.wafv2_web_acl_logging_enabled, + control.apigateway_stage_logging_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudtrail_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.elb_application_classic_lb_logging_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.vpc_flow_logs_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ia_4" { + title = "Identifier Management (IA-4)" + description = "Manage information system identifiers for users and devices. Automate authorizing and disabling users to prevent misuse." + children = [ + benchmark.nist_800_53_rev_5_ia_4_8, + benchmark.nist_800_53_rev_5_ia_4_b, + benchmark.nist_800_53_rev_5_ia_4_d, + benchmark.nist_800_53_rev_5_ia_4_4 + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) +} + +benchmark "nist_800_53_rev_5_ia_4_b" { + title = "IA-4(b)" + description = "Manage system identifiers by: b. Selecting an identifier that identifies an individual, group, role, service, or device." + children = [ + control.iam_root_user_no_access_keys + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) +} + +benchmark "nist_800_53_rev_5_ia_4_d" { + title = "IA-4(d)" + description = "Manage system identifiers by: d. Preventing reuse of identifiers for [Assignment: organization-defined time period]." + children = [ + control.iam_account_password_policy_min_length_14 + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) +} + +benchmark "nist_800_53_rev_5_ia_4_4" { + title = "IA-4(4)" + description = "Manage individual identifiers by uniquely identifying each individual as [Assignment: organization-defined characteristic identifying individual status]." + children = [ + control.iam_root_user_no_access_keys + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) +} + +benchmark "nist_800_53_rev_5_ia_4_8" { + title = "IA-4(8)" + description = "Generate pairwise pseudonymous identifiers." + children = [ + control.iam_root_user_no_access_keys + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) +} + +benchmark "nist_800_53_rev_5_ia_5" { + title = "Authenticator Management (IA-5)" + description = "Authenticate users and devices. Automate administrative control. Enforce restrictions. Protect against unauthorized use." + children = [ + benchmark.nist_800_53_rev_5_ia_5_1, + benchmark.nist_800_53_rev_5_ia_5_8, + benchmark.nist_800_53_rev_5_ia_5_18, + benchmark.nist_800_53_rev_5_ia_5_b, + benchmark.nist_800_53_rev_5_ia_5_c, + benchmark.nist_800_53_rev_5_ia_5_d, + benchmark.nist_800_53_rev_5_ia_5_f, + benchmark.nist_800_53_rev_5_ia_5_h, + control.iam_account_password_policy_min_length_14 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ia_5_b" { + title = "IA-5(b)" + description = "Manage system authenticators by: b. Establishing initial authenticator content for any authenticators issued by the organization." + children = [ + control.iam_account_password_policy_min_length_14 + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) +} + +benchmark "nist_800_53_rev_5_ia_5_c" { + title = "IA-5(c)" + description = "Manage system authenticators by: c. Ensuring that authenticators have sufficient strength of mechanism for their intended use." + children = [ + control.iam_account_password_policy_min_length_14 + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) +} + +benchmark "nist_800_53_rev_5_ia_5_d" { + title = "IA-5(d)" + description = "Manage system authenticators by: d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators." + children = [ + control.iam_account_password_policy_min_length_14 + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) +} + +benchmark "nist_800_53_rev_5_ia_5_f" { + title = "IA-5(f)" + description = "Manage system authenticators by: f. Changing or refreshing authenticators [Assignment: organization-defined time period by authenticator type] or when [Assignment: organization-defined events] occur." + children = [ + control.iam_account_password_policy_min_length_14 + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) +} + +benchmark "nist_800_53_rev_5_ia_5_h" { + title = "IA-5(h)" + description = "Manage system authenticators by: h. Requiring individuals to take, and having devices implement, specific controls to protect authenticators." + children = [ + control.iam_account_password_policy_min_length_14 + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) +} + +benchmark "nist_800_53_rev_5_ia_5_1" { + title = "IA-5(1) Password-Based Authentication" + description = "The information system, for password-based authentication that enforces minimum password complexity, stores and transmits only cryptographically-protected passwords, enforces password minimum and maximum lifetime restrictions, prohibits password reuse, allows the use of a temporary password for system logons with an immediate change to a permanent password etc." + children = [ + benchmark.nist_800_53_rev_5_ia_5_1_c, + benchmark.nist_800_53_rev_5_ia_5_1_f, + benchmark.nist_800_53_rev_5_ia_5_1_g, + benchmark.nist_800_53_rev_5_ia_5_1_h + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ia_5_1_c" { + title = "IA-5(1)(c)" + description = "For password-based authentication: (c) Transmit passwords only over cryptographically-protected channels." + children = [ + control.apigateway_rest_api_stage_use_ssl_certificate, + control.elb_application_lb_redirect_http_request_to_https, + control.elb_classic_lb_use_ssl_certificate, + control.elb_classic_lb_use_tls_https_listeners, + control.s3_bucket_enforces_ssl + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ia_5_1_f" { + title = "IA-5(1)(f)" + description = "For password-based authentication: (f) Allow user selection of long passwords and passphrases, including spaces and all printable characters." + children = [ + control.iam_account_password_policy_min_length_14 + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) +} + +benchmark "nist_800_53_rev_5_ia_5_1_g" { + title = "IA-5(1)(g)" + description = "For password-based authentication: (g) Employ automated tools to assist the user in selecting strong password authenticators." + children = [ + control.iam_account_password_policy_min_length_14 + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) +} + +benchmark "nist_800_53_rev_5_ia_5_1_h" { + title = "IA-5(1)(h)" + description = "For password-based authentication: (h) Enforce the following composition and complexity rules: [Assignment: organization-defined composition and complexity rules]." + children = [ + control.iam_account_password_policy_min_length_14 + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) +} + +benchmark "nist_800_53_rev_5_ia_5_8" { + title = "IA-5(8) Multiple System Accounts" + description = "Implement [Assignment: organization-defined security controls] to manage the risk of compromise due to individuals having accounts on multiple systems." + children = [ + control.iam_root_user_no_access_keys + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) +} + +benchmark "nist_800_53_rev_5_ia_5_18" { + title = "IA-5(18) Password Managers" + description = "a. Employ [Assignment: organization-defined password managers] to generate and manage passwords; and b. Protect the passwords using [Assignment: organization-defined controls]." + children = [ + benchmark.nist_800_53_rev_5_ia_5_18_a, + benchmark.nist_800_53_rev_5_ia_5_18_b + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) +} + +benchmark "nist_800_53_rev_5_ia_5_18_a" { + title = "IA-5(18)(a)" + description = "Employ [Assignment: organization-defined password managers] to generate and manage passwords." + children = [ + control.iam_account_password_policy_min_length_14 + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) +} + +benchmark "nist_800_53_rev_5_ia_5_18_b" { + title = "IA-5(18)(b)" + description = "Protect the passwords using [Assignment: organization-defined controls]." + children = [ + control.iam_account_password_policy_min_length_14 + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) +} + +benchmark "nist_800_53_rev_5_ia_8" { + title = "Identification And Authentication (Non-Organizational Users) (IA-8)" + description = "Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users." + children = [ + benchmark.nist_800_53_rev_5_ia_8_2 + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) +} + +benchmark "nist_800_53_rev_5_ia_8_2" { + title = "IA-8(2) Acceptance Of External Authenticators" + description = "Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users." + children = [ + benchmark.nist_800_53_rev_5_ia_8_2_b + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) +} + +benchmark "nist_800_53_rev_5_ia_8_2_b" { + title = "IA-8(2)(b)" + description = "Document and maintain a list of accepted external authenticators." + children = [ + control.iam_account_password_policy_min_length_14 + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) +} + diff --git a/nist_800_53_rev_5/ir.sp b/nist_800_53_rev_5/ir.sp new file mode 100644 index 00000000..960a2d5a --- /dev/null +++ b/nist_800_53_rev_5/ir.sp @@ -0,0 +1,35 @@ +benchmark "nist_800_53_rev_5_ir" { + title = "Incident Response (IR)" + description = "IR controls are specific to an organization’s incident response policies and procedures. This includes incident response training, testing, monitoring, reporting, and response plan." + children = [ + benchmark.nist_800_53_rev_5_ir_4 + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) +} + +benchmark "nist_800_53_rev_5_ir_4" { + title = "Incident Handling (IR-4)" + description = "a. Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;b. Coordinate incident handling activities with contingency planning activities; c. Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and d. Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization." + children = [ + benchmark.nist_800_53_rev_5_ir_4_a + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) +} + +benchmark "nist_800_53_rev_5_ir_4_a" { + title = "IR-4(a)" + description = "Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery." + children = [ + control.guardduty_finding_archived + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) +} diff --git a/nist_800_53_rev_5/ma.sp b/nist_800_53_rev_5/ma.sp new file mode 100644 index 00000000..a8b7b05b --- /dev/null +++ b/nist_800_53_rev_5/ma.sp @@ -0,0 +1,62 @@ +benchmark "nist_800_53_rev_5_ma" { + title = "Maintenance (MA)" + description = "The MA controls in NIST 800-53 revision five detail requirements for maintaining organizational systems and the tools used." + children = [ + benchmark.nist_800_53_rev_5_ma_4 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ma_4" { + title = "Nonlocal Maintenance (MA-4)" + description = "a. Approve and monitor nonlocal maintenance and diagnostic activities; b. Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system; c. Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions; d. Maintain records for nonlocal maintenance and diagnostic activities; and e. Terminate session and network connections when nonlocal maintenance is completed." + children = [ + benchmark.nist_800_53_rev_5_ma_4_1, + benchmark.nist_800_53_rev_5_ma_4_c + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ma_4_c" { + title = "MA-4(c)" + description = "Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions." + children = [ + control.iam_account_password_policy_min_length_14 + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) +} + +benchmark "nist_800_53_rev_5_ma_4_1" { + title = "MA-4(1) Logging And Review" + description = "a. Log [Assignment: organization-defined audit events] for nonlocal maintenance and diagnostic sessions; and b. Review the audit records of the maintenance and diagnostic sessions to detect anomalous behavior." + children = [ + benchmark.nist_800_53_rev_5_ma_4_1_a + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ma_4_1_a" { + title = "MA-4(1)(a)" + description = "Log [Assignment: organization-defined audit events] for nonlocal maintenance and diagnostic sessions." + children = [ + control.apigateway_stage_logging_enabled, + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.elb_application_classic_lb_logging_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} \ No newline at end of file diff --git a/nist_800_53_rev_5/mp.sp b/nist_800_53_rev_5/mp.sp new file mode 100644 index 00000000..8078524d --- /dev/null +++ b/nist_800_53_rev_5/mp.sp @@ -0,0 +1,42 @@ +benchmark "nist_800_53_rev_5_mp" { + title = "Media Protection (MP)" + description = "The Media Protection control family includes controls specific to access, marking, storage, transport policies, sanitization, and defined organizational media use." + children = [ + benchmark.nist_800_53_rev_5_mp_2 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_mp_2" { + title = "Media Access (MP-2)" + description = "Restrict access to [Assignment: organization-defined types of digital and/or non-digital media] to [Assignment: organization-defined personnel or roles]." + children = [ + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_in_vpc, + control.ec2_instance_not_publicly_accessible, + control.ec2_instance_uses_imdsv2, + control.emr_cluster_master_nodes_no_public_ip, + control.es_domain_in_vpc, + control.iam_group_user_role_no_inline_policies, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys, + control.iam_user_in_group, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.lambda_function_in_vpc, + control.lambda_function_restrict_public_access, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_subnet_auto_assign_public_ip_disabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} \ No newline at end of file diff --git a/nist_800_53_rev_5/nist_800_53_rev_5.sp b/nist_800_53_rev_5/nist_800_53_rev_5.sp new file mode 100644 index 00000000..94376b45 --- /dev/null +++ b/nist_800_53_rev_5/nist_800_53_rev_5.sp @@ -0,0 +1,32 @@ +locals { + nist_800_53_rev_5_common_tags = merge(local.aws_compliance_common_tags, { + nist_800_53_rev_5 = "true" + type = "Benchmark" + }) +} + +benchmark "nist_800_53_rev_5" { + title = "NIST 800-53 Revision 5" + description = "NIST 800-53 is a regulatory standard that defines the minimum baseline of security controls for all U.S. federal information systems except those related to national security." + documentation = file("./nist_800_53_rev_5/docs/nist_800_53_rev_5_overview.md") + + children = [ + benchmark.nist_800_53_rev_5_ac, + benchmark.nist_800_53_rev_5_au, + benchmark.nist_800_53_rev_5_ca, + benchmark.nist_800_53_rev_5_cm, + benchmark.nist_800_53_rev_5_cp, + benchmark.nist_800_53_rev_5_ia, + benchmark.nist_800_53_rev_5_ir, + benchmark.nist_800_53_rev_5_ma, + benchmark.nist_800_53_rev_5_mp, + benchmark.nist_800_53_rev_5_pe, + benchmark.nist_800_53_rev_5_pm, + benchmark.nist_800_53_rev_5_ra, + benchmark.nist_800_53_rev_5_sa, + benchmark.nist_800_53_rev_5_sc, + benchmark.nist_800_53_rev_5_si + ] + + tags = local.nist_800_53_rev_5_common_tags +} diff --git a/nist_800_53_rev_5/pe.sp b/nist_800_53_rev_5/pe.sp new file mode 100644 index 00000000..f5a1b7f5 --- /dev/null +++ b/nist_800_53_rev_5/pe.sp @@ -0,0 +1,48 @@ +benchmark "nist_800_53_rev_5_pe" { + title = "Physical And Environmental Protection (PE)" + description = "The Physical and Environmental Protection control family is implemented to protect systems, buildings, and related supporting infrastructure against physical threats. These controls include physical access authorizations, monitoring, visitor records, emergency shutoff, power, lighting, fire protection, and water damage protection." + children = [ + benchmark.nist_800_53_rev_5_pe_6 + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) +} + +benchmark "nist_800_53_rev_5_pe_6" { + title = "Monitoring Physical Access (PE-6)" + description = "a. Monitor physical access to the facility where the system resides to detect and respond to physical security incidents; b. Review physical access logs [Assignment: organization-defined frequency] and upon occurrence of [Assignment: organization-defined events or potential indications of events]; and c. Coordinate results of reviews and investigations with the organizational incident response capability." + children = [ + benchmark.nist_800_53_rev_5_pe_6_2, + benchmark.nist_800_53_rev_5_pe_6_4 + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) +} + +benchmark "nist_800_53_rev_5_pe_6_2" { + title = "PE-6(2) Monitoring Physical Access" + description = "Recognize [Assignment: organization-defined classes or types of intrusions] and initiate [Assignment: organization-defined response actions] using [Assignment: organization-defined automated mechanisms]." + children = [ + control.guardduty_enabled + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) +} + +benchmark "nist_800_53_rev_5_pe_6_4" { + title = "PE-6(4) Monitoring Physical Access" + description = "Monitor physical access to the system in addition to the physical access monitoring of the facility at [Assignment: organization-defined physical spaces containing one or more components of the system]." + children = [ + control.guardduty_enabled + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) +} \ No newline at end of file diff --git a/nist_800_53_rev_5/pm.sp b/nist_800_53_rev_5/pm.sp new file mode 100644 index 00000000..fa030d49 --- /dev/null +++ b/nist_800_53_rev_5/pm.sp @@ -0,0 +1,199 @@ +benchmark "nist_800_53_rev_5_pm" { + title = "Program Management (PM)" + description = "The PM control family is specific to who manages your cybersecurity program and how it operates. This includes, but is not limited to, a critical infrastructure plan, information security program plan, plan of action milestones and processes, risk management strategy, and enterprise architecture." + children = [ + benchmark.nist_800_53_rev_5_pm_11, + benchmark.nist_800_53_rev_5_pm_14, + benchmark.nist_800_53_rev_5_pm_16, + benchmark.nist_800_53_rev_5_pm_17, + benchmark.nist_800_53_rev_5_pm_21, + benchmark.nist_800_53_rev_5_pm_31 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_pm_11" { + title = "Mission And Business Process Defination (PM-11)" + description = "a. Define organizational mission and business processes with consideration for information security and privacy and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and b. Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes; and c. Review and revise the mission and business processes [Assignment: organization-defined frequency]." + children = [ + benchmark.nist_800_53_rev_5_pm_11_b + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_pm_11_b" { + title = "PM-11(b)" + description = "Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes." + children = [ + control.cloudtrail_trail_validation_enabled, + control.s3_bucket_default_encryption_enabled, + control.s3_bucket_enforces_ssl, + control.s3_bucket_versioning_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_pm_14" { + title = "Testing, Training, And Monitoring (PM-14)" + description = "a. Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems: 1. Are developed and maintained; and 2. Continue to be executed; and b. Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions." + children = [ + benchmark.nist_800_53_rev_5_pm_14_a_1, + benchmark.nist_800_53_rev_5_pm_14_b + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_pm_14_a_1" { + title = "PM-14(a)(1)" + description = "a. Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems: 1. Are developed and maintained." + children = [ + control.apigateway_stage_logging_enabled, + control.autoscaling_group_with_lb_use_health_check, + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudwatch_alarm_action_enabled, + control.cloudwatch_log_group_retention_period_365, + control.elastic_beanstalk_enhanced_health_reporting_enabled, + control.elb_application_classic_lb_logging_enabled, + control.guardduty_enabled, + control.lambda_function_concurrent_execution_limit_configured, + control.lambda_function_dead_letter_queue_configured, + control.rds_db_instance_and_cluster_enhanced_monitoring_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.securityhub_enabled, + control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_pm_14_b" { + title = "PM-14(b)" + description = "Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions." + children = [ + control.apigateway_stage_logging_enabled, + control.autoscaling_group_with_lb_use_health_check, + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudwatch_alarm_action_enabled, + control.cloudwatch_log_group_retention_period_365, + control.elastic_beanstalk_enhanced_health_reporting_enabled, + control.elb_application_classic_lb_logging_enabled, + control.guardduty_enabled, + control.lambda_function_concurrent_execution_limit_configured, + control.lambda_function_dead_letter_queue_configured, + control.rds_db_instance_and_cluster_enhanced_monitoring_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.securityhub_enabled, + control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_pm_16" { + title = "Threat Awareness Program (PM-16)" + description = "Implement a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence." + children = [ + control.guardduty_enabled + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) +} + +benchmark "nist_800_53_rev_5_pm_17" { + title = "Protecting Controlled Unclassified Information On External Systems (PM-17)" + description = "a. Establish policy and procedures to ensure that requirements for the protection of controlled unclassified information that is processed, stored or transmitted on external systems, are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards; and b. Review and update the policy and procedures [Assignment: organization-defined frequency]." + children = [ + benchmark.nist_800_53_rev_5_pm_17_b + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_pm_17_b" { + title = "PM-17(b)" + description = "Review and update the policy and procedures [Assignment: organization-defined frequency]." + children = [ + control.apigateway_rest_api_stage_use_ssl_certificate, + control.cloudtrail_trail_validation_enabled, + control.elb_application_lb_redirect_http_request_to_https, + control.elb_classic_lb_use_ssl_certificate, + control.elb_classic_lb_use_tls_https_listeners, + control.es_domain_node_to_node_encryption_enabled, + control.redshift_cluster_encryption_in_transit_enabled, + control.s3_bucket_enforces_ssl, + control.s3_bucket_versioning_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_pm_21" { + title = "Accounting Of Disclosures (PM-21)" + description = "a. Develop and maintain an accurate accounting of disclosures of personally identifiable information, including: 1. Date, nature, and purpose of each disclosure; and 2. Name and address, or other contact information of the individual or organization to which the disclosure was made; b. Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer; and c. Make the accounting of disclosures available to the individual to whom the personally identifiable information relates upon request." + children = [ + benchmark.nist_800_53_rev_5_pm_21_b + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/CloudWatch" + }) +} + +benchmark "nist_800_53_rev_5_pm_21_b" { + title = "PM-21(b)" + description = "Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer." + children = [ + control.cloudwatch_log_group_retention_period_365 + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/CloudWatch" + }) +} + +benchmark "nist_800_53_rev_5_pm_31" { + title = "Continuous Monitoring Strategy (PM-31)" + description = "Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: a. Establishing the following organization-wide metrics to be monitored: [Assignment: organization-defined metrics]; b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; c. Ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy; d. Correlation and analysis of information generated by control assessments and monitoring; e. Response actions to address results of the analysis of control assessment and monitoring information; and f. Reporting the security and privacy status of organizational systems to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]." + children = [ + control.apigateway_stage_logging_enabled, + control.autoscaling_group_with_lb_use_health_check, + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudwatch_alarm_action_enabled, + control.cloudwatch_log_group_retention_period_365, + control.elastic_beanstalk_enhanced_health_reporting_enabled, + control.elb_application_classic_lb_logging_enabled, + control.guardduty_enabled, + control.lambda_function_concurrent_execution_limit_configured, + control.lambda_function_dead_letter_queue_configured, + control.rds_db_instance_and_cluster_enhanced_monitoring_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.securityhub_enabled, + control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} \ No newline at end of file diff --git a/nist_800_53_rev_5/ra.sp b/nist_800_53_rev_5/ra.sp new file mode 100644 index 00000000..a1eaf55c --- /dev/null +++ b/nist_800_53_rev_5/ra.sp @@ -0,0 +1,182 @@ +benchmark "nist_800_53_rev_5_ra" { + title = "Risk Assessment (RA)" + description = "The RA control family relates to an organization’s risk assessment policies and vulnerability scanning capabilities. Using an integrated risk management solution like CyberStrong can help streamline and automate your NIST 800 53 compliance efforts." + children = [ + benchmark.nist_800_53_rev_5_ra_1, + benchmark.nist_800_53_rev_5_ra_3, + benchmark.nist_800_53_rev_5_ra_5, + benchmark.nist_800_53_rev_5_ra_10 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ra_1" { + title = "Policy And Procedures (RA-1)" + description = "Track risk assessment policies that address purpose, scope, roles, management, and organizational compliance." + children = [ + benchmark.nist_800_53_rev_5_ra_1_a + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) +} + +benchmark "nist_800_53_rev_5_ra_1_a" { + title = "RA-1(a)" + description = "Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems; and 2. Detect, track, and disrupt threats that evade existing controls." + children = [ + benchmark.nist_800_53_rev_5_ra_1_a_1, + benchmark.nist_800_53_rev_5_ra_1_a_2, + control.guardduty_enabled + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) +} + +benchmark "nist_800_53_rev_5_ra_1_a_1" { + title = "RA-1(a)(1)" + description = "Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems." + children = [ + control.guardduty_enabled + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) +} + +benchmark "nist_800_53_rev_5_ra_1_a_2" { + title = "RA-1(a)(2)" + description = "a. Establish and maintain a cyber threat hunting capability to: 2. Detect, track, and disrupt threats that evade existing controls." + children = [ + control.guardduty_enabled + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) +} + +benchmark "nist_800_53_rev_5_ra_3" { + title = "Risk Assessment (RA-3)" + description = "Assess risks and magnitude of unauthorized system access, use, disclosure, disruption, modifications, or destruction." + children = [ + benchmark.nist_800_53_rev_5_ra_3_4, + benchmark.nist_800_53_rev_5_ra_3_a_1 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ra_3_4" { + title = "RA-3(4) Predictive Cyber Analytics" + description = "Employ the following advanced automation and analytics capabilities to predict and identify risks to [Assignment: organization-defined systems or system components]: [Assignment: organization-defined advanced automation and analytics capabilities]." + children = [ + control.guardduty_enabled + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) +} + +benchmark "nist_800_53_rev_5_ra_3_a_1" { + title = "RA-3(a)(1)" + description = "a. Conduct a risk assessment, including: 1. Identifying threats to and vulnerabilities in the system." + children = [ + control.guardduty_enabled, + control.ssm_managed_instance_compliance_patch_compliant + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ra_5" { + title = "Vulnerability Monitoring And Scanning (RA-5)" + description = "Employ the following advanced automation and analytics capabilities to predict and identify risks to [Assignment: organization-defined systems or system components]: [Assignment: organization-defined advanced automation and analytics capabilities]." + children = [ + benchmark.nist_800_53_rev_5_ra_5_4, + benchmark.nist_800_53_rev_5_ra_5_a + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) +} + +benchmark "nist_800_53_rev_5_ra_5_a" { + title = "RA-5(a)" + description = "Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported." + children = [ + control.guardduty_enabled + ] + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) +} + +benchmark "nist_800_53_rev_5_ra_5_4" { + title = "RA-5(4) Discoverable Information" + description = "Determine information about the system that is discoverable and take [Assignment: organization-defined corrective actions]." + children = [ + control.guardduty_enabled + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) +} + +benchmark "nist_800_53_rev_5_ra_10" { + title = "Threat Hunting (RA-10)" + description = "a. Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems; and 2. Detect, track, and disrupt threats that evade existing controls; and b. Employ the threat hunting capability [Assignment: organization-defined frequency]." + children = [ + benchmark.nist_800_53_rev_5_ra_10_a + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) +} + +benchmark "nist_800_53_rev_5_ra_10_a" { + title = "RA-10(a)" + description = "Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems; and 2. Detect, track, and disrupt threats that evade existings." + children = [ + benchmark.nist_800_53_rev_5_ra_10_a_1, + benchmark.nist_800_53_rev_5_ra_10_a_2, + control.guardduty_enabled + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) +} + +benchmark "nist_800_53_rev_5_ra_10_a_1" { + title = "RA-10(a)(1)" + description = "Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems; and 2. Detect, track, and disrupt threats that evade existings." + children = [ + control.guardduty_enabled + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) +} + +benchmark "nist_800_53_rev_5_ra_10_a_2" { + title = "RA-10(a)(2)" + description = "a. Establish and maintain a cyber threat hunting capability to: 2. Detect, track, and disrupt threats that evade existings." + children = [ + control.guardduty_enabled + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) +} \ No newline at end of file diff --git a/nist_800_53_rev_5/sa.sp b/nist_800_53_rev_5/sa.sp new file mode 100644 index 00000000..3c0554d7 --- /dev/null +++ b/nist_800_53_rev_5/sa.sp @@ -0,0 +1,107 @@ +benchmark "nist_800_53_rev_5_sa" { + title = "System and Services Acquisition (SA)" + description = "The SA control family correlates with controls that protect allocated resources and an organization’s system development life cycle. This includes information system documentation controls, development configuration management controls, and developer security testing and evaluation controls." + children = [ + benchmark.nist_800_53_rev_5_sa_1, + benchmark.nist_800_53_rev_5_sa_9, + benchmark.nist_800_53_rev_5_sa_10, + benchmark.nist_800_53_rev_5_sa_15 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sa_1" { + title = "Policy And Procedures (SA-1)" + description = "The organization develops, disseminates, and periodically reviews/updates: (i) a formal, documented, system and services acquisition policy that includes information security considerations and that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls." + children = [ + benchmark.nist_800_53_rev_5_sa_1_1 + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/CloudTrail" + }) +} + +benchmark "nist_800_53_rev_5_sa_1_1" { + title = "SA-1(1)" + description = "Require the developer of the system, system component, or system service to enable integrity verification of software and firmware components." + children = [ + control.cloudtrail_trail_validation_enabled + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/CloudTrail" + }) +} + +benchmark "nist_800_53_rev_5_sa_9" { + title = "External System Services (SA-9)" + description = "Require the developer of the system, system component, or system service to enable integrity verification of software and firmware components." + children = [ + benchmark.nist_800_53_rev_5_sa_9_6 + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/KMS" + }) +} + +benchmark "nist_800_53_rev_5_sa_9_6" { + title = "SA-9(6) Organization-Controlled Cryptographic Keys" + description = "Maintain exclusive control of cryptographic keys for encrypted material stored or transmitted through an external system." + children = [ + control.kms_key_not_pending_deletion, + control.kms_cmk_rotation_enabled + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/KMS" + }) +} + +benchmark "nist_800_53_rev_5_sa_10" { + title = "Developer Configuration Management (SA-10)" + description = "The organization requires the developer of the information system, system component, or information system service to: a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation]; b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management]; c. Implement only organization-approved changes to the system, component, or service; d. Document approved changes to the system, component, or service and the potential security impacts of such changes; and e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel]." + children = [ + benchmark.nist_800_53_rev_5_sa_10_1 + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/CloudTrail" + }) +} + +benchmark "nist_800_53_rev_5_sa_10_1" { + title = "SA-10(1) Software And Firmware Integrity Verification" + description = "Require the developer of the system, system component, or system service to enable integrity verification of software and firmware components." + children = [ + control.cloudtrail_trail_validation_enabled + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/CloudTrail" + }) +} + +benchmark "nist_800_53_rev_5_sa_15" { + title = "Development Process, Standards, And Tools (SA-15)" + description = "a. Require the developer of the system, system component, or system service to follow a documented development process that: 1. Explicitly addresses security and privacy requirements; 2. Identifies the standards and tools used in the development process; 3. Documents the specific tool options and tool configurations used in the development process; and 4. Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and b. Review the development process, standards, tools, tool options, and tool configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: [Assignment: organization-defined security and privacy requirements]." + children = [ + benchmark.nist_800_53_rev_5_sa_15_a_4 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sa_15_a_4" { + title = "SA-15(a)(4)" + description = "a. Require the developer of the system, system component, or system service to follow a documented development process that: 4. Documents, manages, and ensures the integrity of changes to the process and/or tools used in development." + children = [ + control.elb_application_lb_deletion_protection_enabled, + control.rds_db_instance_deletion_protection_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + diff --git a/nist_800_53_rev_5/sc.sp b/nist_800_53_rev_5/sc.sp new file mode 100644 index 00000000..761fb1ca --- /dev/null +++ b/nist_800_53_rev_5/sc.sp @@ -0,0 +1,1199 @@ +benchmark "nist_800_53_rev_5_sc" { + title = "System and Communications Protection (SC)" + description = "The SC control family is responsible for systems and communications protection procedures. This includes boundary protection, protection of information at rest, collaborative computing devices, cryptographic protection, denial of service protection, and many others." + children = [ + benchmark.nist_800_53_rev_5_sc_5, + benchmark.nist_800_53_rev_5_sc_6, + benchmark.nist_800_53_rev_5_sc_7, + benchmark.nist_800_53_rev_5_sc_8, + benchmark.nist_800_53_rev_5_sc_12, + benchmark.nist_800_53_rev_5_sc_13, + benchmark.nist_800_53_rev_5_sc_16, + benchmark.nist_800_53_rev_5_sc_22, + benchmark.nist_800_53_rev_5_sc_23, + benchmark.nist_800_53_rev_5_sc_25, + benchmark.nist_800_53_rev_5_sc_28, + benchmark.nist_800_53_rev_5_sc_36, + benchmark.nist_800_53_rev_5_sc_43 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_5" { + title = "Denial Of Service Protection (SC-5)" + description = "The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or reference to source for such information] by employing [Assignment: organization-defined security safeguards]." + children = [ + benchmark.nist_800_53_rev_5_sc_5_1, + benchmark.nist_800_53_rev_5_sc_5_2, + benchmark.nist_800_53_rev_5_sc_5_3, + benchmark.nist_800_53_rev_5_sc_5_a, + benchmark.nist_800_53_rev_5_sc_5_b + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_5_1" { + title = "SC-5(1) Restrict Ability TO Attack Other Systems" + description = "Restrict the ability of individuals to launch the following denial-of-service attacks against other systems: [Assignment: organization-defined denial-of-service attacks]." + children = [ + control.guardduty_enabled + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) +} + +benchmark "nist_800_53_rev_5_sc_5_2" { + title = "SC-5(2) Capacity, Bandwidth, And Redundancy" + description = "Manage capacity, bandwidth, or other redundancy to limit the effects of information flooding denial-of-service attacks." + children = [ + control.dynamodb_table_auto_scaling_enabled, + control.dynamodb_table_in_backup_plan, + control.dynamodb_table_point_in_time_recovery_enabled, + control.ebs_volume_in_backup_plan, + control.ec2_instance_ebs_optimized, + control.efs_file_system_in_backup_plan, + control.elasticache_redis_cluster_automatic_backup_retention_15_days, + control.elb_application_lb_deletion_protection_enabled, + control.elb_classic_lb_cross_zone_load_balancing_enabled, + control.rds_db_instance_backup_enabled, + control.rds_db_instance_deletion_protection_enabled, + control.rds_db_instance_multiple_az_enabled, + control.rds_db_instance_protected_by_backup_plan, + control.redshift_cluster_automatic_snapshots_min_7_days, + control.redshift_cluster_maintenance_settings_check, + control.s3_bucket_cross_region_replication_enabled, + control.s3_bucket_versioning_enabled, + control.vpc_vpn_tunnel_up + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_5_3" { + title = "SC-5(3) Detection And Monitoring" + description = "a. Employ the following monitoring tools to detect indicators of denial-of-service attacks against, or launched from, the system: [Assignment: organization-defined monitoring tools]; and b. Monitor the following system resources to determine if sufficient resources exist to prevent effective denial-of-service attacks: [Assignment: organization-defined system resources]." + children = [ + benchmark.nist_800_53_rev_5_sc_5_3_a, + benchmark.nist_800_53_rev_5_sc_5_3_b + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) +} + +benchmark "nist_800_53_rev_5_sc_5_a" { + title = "SC-5(a)" + description = "[Selection: Protect against; Limit] the effects of the following types of denial-of-service events: [Assignment: organization-defined types of denial-of-service events]." + children = [ + control.guardduty_enabled + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) +} + +benchmark "nist_800_53_rev_5_sc_5_b" { + title = "SC-5(b)" + description = "Employ the following controls to achieve the denial-of-service objective: [Assignment: organization-defined controls by type of denial-of-service event]." + children = [ + control.guardduty_enabled + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) +} + +benchmark "nist_800_53_rev_5_sc_5_3_a" { + title = "SC-5(3)(a)" + description = "Employ the following monitoring tools to detect indicators of denial-of-service attacks against, or launched from, the system: [Assignment: organization-defined monitoring tools]." + children = [ + control.guardduty_enabled + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) +} + +benchmark "nist_800_53_rev_5_sc_5_3_b" { + title = "SC-5(3)(b)" + description = "Monitor the following system resources to determine if sufficient resources exist to prevent effective denial-of-service attacks: [Assignment: organization-defined system resources]." + children = [ + control.guardduty_enabled + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) +} + +benchmark "nist_800_53_rev_5_sc_6" { + title = "Resource Availability (SC-6)" + description = "Protect the availability of resources by allocating [Assignment: organization-defined resources] by [Selection (one or more): priority; quota; [Assignment: organization-defined controls]]." + children = [ + control.autoscaling_group_with_lb_use_health_check, + control.dynamodb_table_auto_scaling_enabled, + control.elastic_beanstalk_enhanced_health_reporting_enabled, + control.elb_classic_lb_cross_zone_load_balancing_enabled, + control.lambda_function_concurrent_execution_limit_configured, + control.rds_db_instance_multiple_az_enabled, + control.vpc_vpn_tunnel_up + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_7" { + title = "Boundary Protection (SC-7)" + description = "The information system: a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture." + children = [ + benchmark.nist_800_53_rev_5_sc_7_2, + benchmark.nist_800_53_rev_5_sc_7_3, + benchmark.nist_800_53_rev_5_sc_7_4, + benchmark.nist_800_53_rev_5_sc_7_5, + benchmark.nist_800_53_rev_5_sc_7_7, + benchmark.nist_800_53_rev_5_sc_7_9, + benchmark.nist_800_53_rev_5_sc_7_11, + benchmark.nist_800_53_rev_5_sc_7_12, + benchmark.nist_800_53_rev_5_sc_7_16, + benchmark.nist_800_53_rev_5_sc_7_20, + benchmark.nist_800_53_rev_5_sc_7_21, + benchmark.nist_800_53_rev_5_sc_7_24, + benchmark.nist_800_53_rev_5_sc_7_25, + benchmark.nist_800_53_rev_5_sc_7_26, + benchmark.nist_800_53_rev_5_sc_7_27, + benchmark.nist_800_53_rev_5_sc_7_28, + benchmark.nist_800_53_rev_5_sc_7_a, + benchmark.nist_800_53_rev_5_sc_7_b, + benchmark.nist_800_53_rev_5_sc_7_c + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_7_2" { + title = "SC-7(2) Public Access" + description = "Provide the capability to dynamically isolate [Assignment: organization-defined system components] from other system components." + children = [ + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_in_vpc, + control.ec2_instance_not_publicly_accessible, + control.emr_cluster_master_nodes_no_public_ip, + control.es_domain_in_vpc, + control.lambda_function_in_vpc, + control.lambda_function_restrict_public_access, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_subnet_auto_assign_public_ip_disabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_7_3" { + title = "SC-7(3) Access Points" + description = "Limit the number of external network connections to the system." + children = [ + control.autoscaling_launch_config_public_ip_disabled, + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_in_vpc, + control.ec2_instance_not_publicly_accessible, + control.emr_cluster_master_nodes_no_public_ip, + control.es_domain_in_vpc, + control.lambda_function_in_vpc, + control.lambda_function_restrict_public_access, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_subnet_auto_assign_public_ip_disabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_7_4" { + title = "SC-7(4) External Telecommunications Services" + description = "a. Implement a managed interface for each external telecommunication service; b. Establish a traffic flow policy for each managed interface; c. Protect the confidentiality and integrity of the information being transmitted across each interface; d. Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need; e. Review exceptions to the traffic flow policy [Assignment: organization-defined frequency] and remove exceptions that are no longer supported by an explicit mission or business need; f. Prevent unauthorized exchange of control plane traffic with external networks; g. Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and h. Filter unauthorized control plane traffic from external networks." + children = [ + benchmark.nist_800_53_rev_5_sc_7_4_b, + benchmark.nist_800_53_rev_5_sc_7_4_g + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_7_4_b" { + title = "SC-7(4)(b)" + description = "Establish a traffic flow policy for each managed interface." + children = [ + control.apigateway_rest_api_stage_use_ssl_certificate, + control.elb_application_lb_redirect_http_request_to_https, + control.elb_classic_lb_use_ssl_certificate, + control.elb_classic_lb_use_tls_https_listeners, + control.es_domain_node_to_node_encryption_enabled, + control.redshift_cluster_encryption_in_transit_enabled, + control.s3_bucket_enforces_ssl + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_7_4_g" { + title = "SC-7(4)(g)" + description = "Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks." + children = [ + control.apigateway_rest_api_stage_use_ssl_certificate, + control.elb_application_lb_redirect_http_request_to_https, + control.elb_classic_lb_use_ssl_certificate, + control.elb_classic_lb_use_tls_https_listeners, + control.es_domain_node_to_node_encryption_enabled, + control.redshift_cluster_encryption_in_transit_enabled, + control.s3_bucket_enforces_ssl + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_7_5" { + title = "SC-7(5) Deny By Default — Allow By Exception" + description = "Deny network communications traffic by default and allow network communications traffic by exception [Selection (one or more): at managed interfaces; for [Assignment: organization-defined systems]]." + children = [ + control.apigateway_rest_api_stage_use_ssl_certificate, + control.elb_classic_lb_use_ssl_certificate, + control.redshift_cluster_encryption_in_transit_enabled, + control.s3_bucket_enforces_ssl, + control.vpc_default_security_group_restricts_all_traffic, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.vpc_security_group_restrict_ingress_tcp_udp_all + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_7_7" { + title = "SC-7(7) Split Tunneling For Remote Devices" + description = "Prevent split tunneling for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using [Assignment: organization-defined safeguards]." + children = [ + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_not_publicly_accessible, + control.emr_cluster_master_nodes_no_public_ip, + control.lambda_function_restrict_public_access, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_default_security_group_restricts_all_traffic, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.vpc_security_group_restrict_ingress_ssh_all, + control.vpc_security_group_restrict_ingress_tcp_udp_all, + control.vpc_subnet_auto_assign_public_ip_disabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_7_9" { + title = "SC-7(9) Restrict Threatening Outgoing Communications Traffic" + description = "a. Detect and deny outgoing communications traffic posing a threat to external systems; and b. Audit the identity of internal users associated with denied communications." + children = [ + benchmark.nist_800_53_rev_5_sc_7_9_a, + benchmark.nist_800_53_rev_5_sc_7_9_b + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_7_9_a" { + title = "SC-7(9)(a)" + description = "Detect and deny outgoing communications traffic posing a threat to external systems." + children = [ + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_in_vpc, + control.ec2_instance_not_publicly_accessible, + control.emr_cluster_master_nodes_no_public_ip, + control.es_domain_in_vpc, + control.lambda_function_in_vpc, + control.lambda_function_restrict_public_access, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_subnet_auto_assign_public_ip_disabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_7_9_b" { + title = "SC-7(9)(b)" + description = "Audit the identity of internal users associated with denied communications." + children = [ + control.apigateway_stage_logging_enabled, + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.elb_application_classic_lb_logging_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.wafv2_web_acl_logging_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_7_11" { + title = "SC-7(11) Restrict Incoming communications Traffic" + description = "Only allow incoming communications from [Assignment: organization-defined authorized sources] to be routed to [Assignment: organization-defined authorized destinations]." + children = [ + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_in_vpc, + control.ec2_instance_not_publicly_accessible, + control.emr_cluster_master_nodes_no_public_ip, + control.es_domain_in_vpc, + control.lambda_function_in_vpc, + control.lambda_function_restrict_public_access, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_default_security_group_restricts_all_traffic, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.vpc_security_group_restrict_ingress_ssh_all, + control.vpc_security_group_restrict_ingress_tcp_udp_all, + control.vpc_subnet_auto_assign_public_ip_disabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_7_12" { + title = "SC-7(12) Host-Based Protection" + description = "Implement [Assignment: organization-defined host-based boundary protection mechanisms] at [Assignment: organization-defined system components]." + children = [ + control.acm_certificate_expires_30_days, + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_in_vpc, + control.ec2_instance_not_publicly_accessible, + control.emr_cluster_master_nodes_no_public_ip, + control.es_domain_in_vpc, + control.lambda_function_in_vpc, + control.lambda_function_restrict_public_access, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_default_security_group_restricts_all_traffic, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.vpc_security_group_restrict_ingress_ssh_all, + control.vpc_security_group_restrict_ingress_tcp_udp_all, + control.vpc_subnet_auto_assign_public_ip_disabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_7_16" { + title = "SC-7(16) Prevent Discovery Of System Components" + description = "Prevent the discovery of specific system components that represent a managed interface." + children = [ + control.acm_certificate_expires_30_days, + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_in_vpc, + control.ec2_instance_not_publicly_accessible, + control.emr_cluster_master_nodes_no_public_ip, + control.es_domain_in_vpc, + control.lambda_function_in_vpc, + control.lambda_function_restrict_public_access, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_default_security_group_restricts_all_traffic, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.vpc_security_group_restrict_ingress_ssh_all, + control.vpc_security_group_restrict_ingress_tcp_udp_all, + control.vpc_subnet_auto_assign_public_ip_disabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_7_20" { + title = "SC-7(20) Prevent Discovery Of System Components" + description = "Prevent the discovery of specific system components that represent a managed interface." + children = [ + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_in_vpc, + control.ec2_instance_not_publicly_accessible, + control.emr_cluster_master_nodes_no_public_ip, + control.es_domain_in_vpc, + control.lambda_function_in_vpc, + control.lambda_function_restrict_public_access, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_subnet_auto_assign_public_ip_disabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_7_21" { + title = "SC-7(21) Isolation Of System Components" + description = "Employ boundary protection mechanisms to isolate [Assignment: organization-defined system components] supporting [Assignment: organization-defined missions and/or business functions]." + children = [ + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_in_vpc, + control.ec2_instance_not_publicly_accessible, + control.emr_cluster_master_nodes_no_public_ip, + control.es_domain_in_vpc, + control.lambda_function_in_vpc, + control.lambda_function_restrict_public_access, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_default_security_group_restricts_all_traffic, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.vpc_security_group_restrict_ingress_ssh_all, + control.vpc_security_group_restrict_ingress_tcp_udp_all, + control.vpc_subnet_auto_assign_public_ip_disabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_7_24" { + title = "SC-7(24) Personally Identifiable Information" + description = "For systems that process personally identifiable information: a. Apply the following processing rules to data elements of personally identifiable information: [Assignment: organization-defined processing rules];b. Monitor for permitted processing at the external interfaces to the system and at key internal boundaries within the system; c. Document each processing exception; and d. Review and remove exceptions that are no longer supported." + children = [ + benchmark.nist_800_53_rev_5_sc_7_24_b + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_7_24_b" { + title = "SC-7(24)(b)" + description = "For systems that process personally identifiable information: (b) Monitor for permitted processing at the external interfaces to the system and at key internal boundaries within the system." + children = [ + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_in_vpc, + control.ec2_instance_not_publicly_accessible, + control.emr_cluster_master_nodes_no_public_ip, + control.es_domain_in_vpc, + control.lambda_function_in_vpc, + control.lambda_function_restrict_public_access, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_default_security_group_restricts_all_traffic, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.vpc_security_group_restrict_ingress_ssh_all, + control.vpc_security_group_restrict_ingress_tcp_udp_all, + control.vpc_subnet_auto_assign_public_ip_disabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_7_25" { + title = "SC-7(25) Unclassified National Security System Connections" + description = "Prohibit the direct connection of [Assignment: organization-defined unclassified national security system] to an external network without the use of [Assignment: organization-defined boundary protection device]." + children = [ + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_not_publicly_accessible, + control.emr_cluster_master_nodes_no_public_ip, + control.lambda_function_restrict_public_access, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_default_security_group_restricts_all_traffic, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.vpc_security_group_restrict_ingress_ssh_all, + control.vpc_subnet_auto_assign_public_ip_disabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_7_26" { + title = "SC-7(26) Classified National Security System Connections" + description = "Prohibit the direct connection of a classified national security system to an external network without the use of [Assignment: organization-defined boundary protection device]." + children = [ + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_not_publicly_accessible, + control.emr_cluster_master_nodes_no_public_ip, + control.lambda_function_restrict_public_access, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_default_security_group_restricts_all_traffic, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.vpc_security_group_restrict_ingress_ssh_all, + control.vpc_subnet_auto_assign_public_ip_disabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_7_27" { + title = "SC-7(27) Unclassified Non-National Security System Connections" + description = "Prohibit the direct connection of [Assignment: organization-defined unclassified non-national security system] to an external network without the use of [Assignment: organization-defined boundary protection device]." + children = [ + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_not_publicly_accessible, + control.emr_cluster_master_nodes_no_public_ip, + control.lambda_function_restrict_public_access, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_default_security_group_restricts_all_traffic, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.vpc_security_group_restrict_ingress_ssh_all, + control.vpc_subnet_auto_assign_public_ip_disabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_7_28" { + title = "SC-7(28) Connections To Public Networks" + description = "Prohibit the direct connection of [Assignment: organization-defined system] to a public network." + children = [ + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_not_publicly_accessible, + control.emr_cluster_master_nodes_no_public_ip, + control.lambda_function_restrict_public_access, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_default_security_group_restricts_all_traffic, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.vpc_security_group_restrict_ingress_ssh_all, + control.vpc_subnet_auto_assign_public_ip_disabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_7_a" { + title = "SC-7(a)" + description = "Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system." + children = [ + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_in_vpc, + control.ec2_instance_not_publicly_accessible, + control.emr_cluster_master_nodes_no_public_ip, + control.es_domain_in_vpc, + control.lambda_function_in_vpc, + control.lambda_function_restrict_public_access, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_default_security_group_restricts_all_traffic, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.vpc_security_group_restrict_ingress_ssh_all, + control.vpc_security_group_restrict_ingress_tcp_udp_all, + control.vpc_subnet_auto_assign_public_ip_disabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_7_b" { + title = "SC-7(b)" + description = "Implement subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks." + children = [ + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_in_vpc, + control.ec2_instance_not_publicly_accessible, + control.emr_cluster_master_nodes_no_public_ip, + control.es_domain_in_vpc, + control.lambda_function_in_vpc, + control.lambda_function_restrict_public_access, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_enhanced_vpc_routing_enabled, + control.redshift_cluster_prohibit_public_access, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_subnet_auto_assign_public_ip_disabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_7_c" { + title = "SC-7(c)" + description = "Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture." + children = [ + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_in_vpc, + control.ec2_instance_not_publicly_accessible, + control.emr_cluster_master_nodes_no_public_ip, + control.es_domain_in_vpc, + control.lambda_function_in_vpc, + control.lambda_function_restrict_public_access, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_default_security_group_restricts_all_traffic, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.vpc_security_group_restrict_ingress_ssh_all, + control.vpc_security_group_restrict_ingress_tcp_udp_all, + control.vpc_subnet_auto_assign_public_ip_disabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_8" { + title = "Transmission Confidentiality And Integrity (SC-8)" + description = "Protect the [Selection (one or more): confidentiality; integrity] of transmitted information." + children = [ + benchmark.nist_800_53_rev_5_sc_8_1, + benchmark.nist_800_53_rev_5_sc_8_2, + benchmark.nist_800_53_rev_5_sc_8_3, + benchmark.nist_800_53_rev_5_sc_8_4, + benchmark.nist_800_53_rev_5_sc_8_5, + control.apigateway_rest_api_stage_use_ssl_certificate, + control.elb_application_lb_redirect_http_request_to_https, + control.elb_classic_lb_use_ssl_certificate, + control.elb_classic_lb_use_tls_https_listeners, + control.es_domain_node_to_node_encryption_enabled, + control.redshift_cluster_encryption_in_transit_enabled, + control.s3_bucket_enforces_ssl + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_8_1" { + title = "SC-8(1) Cryptographic Protection" + description = "Implement cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission." + children = [ + control.apigateway_rest_api_stage_use_ssl_certificate, + control.elb_application_lb_redirect_http_request_to_https, + control.elb_application_network_lb_use_ssl_certificate, + control.elb_classic_lb_use_ssl_certificate, + control.elb_classic_lb_use_tls_https_listeners, + control.es_domain_node_to_node_encryption_enabled, + control.redshift_cluster_encryption_in_transit_enabled, + control.s3_bucket_enforces_ssl + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_8_2" { + title = "SC-8(2) Pre- And Post-Transmission Handling" + description = "Maintain the [Selection (one or more): confidentiality; integrity] of information during preparation for transmission and during reception." + children = [ + control.apigateway_rest_api_stage_use_ssl_certificate, + control.elb_application_lb_redirect_http_request_to_https, + control.elb_classic_lb_use_ssl_certificate, + control.elb_classic_lb_use_tls_https_listeners, + control.es_domain_node_to_node_encryption_enabled, + control.redshift_cluster_encryption_in_transit_enabled, + control.s3_bucket_enforces_ssl + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_8_3" { + title = "SC-8(3) Cryptographic Protection For Message Externals" + description = "Implement cryptographic mechanisms to protect message externals unless otherwise protected by [Assignment: organization-defined alternative physical controls]." + children = [ + control.apigateway_rest_api_stage_use_ssl_certificate, + control.apigateway_stage_cache_encryption_at_rest_enabled, + control.cloudtrail_trail_logs_encrypted_with_kms_cmk, + control.dynamodb_table_encrypted_with_kms_cmk, + control.ebs_attached_volume_encryption_enabled, + control.ec2_ebs_default_encryption_enabled, + control.efs_file_system_encrypt_data_at_rest, + control.elb_application_lb_redirect_http_request_to_https, + control.elb_classic_lb_use_ssl_certificate, + control.elb_classic_lb_use_tls_https_listeners, + control.es_domain_encryption_at_rest_enabled, + control.es_domain_node_to_node_encryption_enabled, + control.log_group_encryption_at_rest_enabled, + control.rds_db_instance_encryption_at_rest_enabled, + control.rds_db_snapshot_encrypted_at_rest, + control.redshift_cluster_encryption_in_transit_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.redshift_cluster_kms_enabled, + control.s3_bucket_default_encryption_enabled_kms, + control.s3_bucket_default_encryption_enabled, + control.s3_bucket_enforces_ssl, + control.sagemaker_endpoint_configuration_encryption_at_rest_enabled, + control.sagemaker_notebook_instance_encryption_at_rest_enabled, + control.secretsmanager_secret_encrypted_with_kms_cmk, + control.sns_topic_encrypted_at_rest + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_8_4" { + title = "SC-8(4) Conceal Or Ramdomize Communications" + description = "Implement cryptographic mechanisms to conceal or randomize communication patterns unless otherwise protected by [Assignment: organization-defined alternative physical controls]." + children = [ + control.apigateway_rest_api_stage_use_ssl_certificate, + control.apigateway_stage_cache_encryption_at_rest_enabled, + control.cloudtrail_trail_logs_encrypted_with_kms_cmk, + control.dynamodb_table_encrypted_with_kms_cmk, + control.ebs_attached_volume_encryption_enabled, + control.ec2_ebs_default_encryption_enabled, + control.efs_file_system_encrypt_data_at_rest, + control.elb_application_lb_redirect_http_request_to_https, + control.elb_classic_lb_use_ssl_certificate, + control.elb_classic_lb_use_tls_https_listeners, + control.es_domain_encryption_at_rest_enabled, + control.es_domain_node_to_node_encryption_enabled, + control.log_group_encryption_at_rest_enabled, + control.rds_db_instance_encryption_at_rest_enabled, + control.rds_db_snapshot_encrypted_at_rest, + control.redshift_cluster_encryption_in_transit_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.redshift_cluster_kms_enabled, + control.s3_bucket_default_encryption_enabled_kms, + control.s3_bucket_default_encryption_enabled, + control.s3_bucket_enforces_ssl, + control.sagemaker_endpoint_configuration_encryption_at_rest_enabled, + control.sagemaker_notebook_instance_encryption_at_rest_enabled, + control.secretsmanager_secret_encrypted_with_kms_cmk, + control.sns_topic_encrypted_at_rest + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_8_5" { + title = "SC-8(5) Protected Distribution System" + description = "Implement [Assignment: organization-defined protected distribution system] to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission." + children = [ + control.apigateway_rest_api_stage_use_ssl_certificate, + control.elb_application_lb_redirect_http_request_to_https, + control.elb_classic_lb_use_ssl_certificate, + control.elb_classic_lb_use_tls_https_listeners, + control.es_domain_node_to_node_encryption_enabled, + control.redshift_cluster_encryption_in_transit_enabled, + control.s3_bucket_enforces_ssl + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_12" { + title = "Cryptographic Key Establishment And Management (SC-12)" + description = "Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]." + children = [ + benchmark.nist_800_53_rev_5_sc_12_2, + benchmark.nist_800_53_rev_5_sc_12_6, + control.kms_cmk_rotation_enabled, + control.kms_key_not_pending_deletion + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/KMS" + }) +} + +benchmark "nist_800_53_rev_5_sc_12_2" { + title = "SC-12(2) Symmetric Keys" + description = "Produce, control, and distribute symmetric cryptographic keys using [Selection: NIST FIPS-validated; NSA-approved] key management technology and processes." + children = [ + control.kms_cmk_rotation_enabled, + control.kms_key_not_pending_deletion + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/KMS" + }) +} + +benchmark "nist_800_53_rev_5_sc_12_6" { + title = "SC-12(6) Physical Control Of Keys" + description = "Maintain physical control of cryptographic keys when stored information is encrypted by external service providers." + children = [ + control.kms_cmk_rotation_enabled, + control.kms_key_not_pending_deletion + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/KMS" + }) +} + +benchmark "nist_800_53_rev_5_sc_13" { + title = "Cryptographic Protection (SC-13)" + description = "a. Determine the [Assignment: organization-defined cryptographic uses]; and b. Implement the following types of cryptography required for each specified cryptographic use: [Assignment: organization-defined types of cryptography for each specified cryptographic use]." + children = [ + benchmark.nist_800_53_rev_5_sc_13_a + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_13_a" { + title = "SC-13(a)" + description = "Determine the [Assignment: organization-defined cryptographic uses]." + children = [ + control.apigateway_rest_api_stage_use_ssl_certificate, + control.apigateway_stage_cache_encryption_at_rest_enabled, + control.cloudtrail_trail_logs_encrypted_with_kms_cmk, + control.dynamodb_table_encrypted_with_kms_cmk, + control.ebs_attached_volume_encryption_enabled, + control.ec2_ebs_default_encryption_enabled, + control.efs_file_system_encrypt_data_at_rest, + control.elb_application_lb_redirect_http_request_to_https, + control.elb_classic_lb_use_ssl_certificate, + control.elb_classic_lb_use_tls_https_listeners, + control.es_domain_encryption_at_rest_enabled, + control.es_domain_node_to_node_encryption_enabled, + control.log_group_encryption_at_rest_enabled, + control.rds_db_instance_encryption_at_rest_enabled, + control.rds_db_snapshot_encrypted_at_rest, + control.redshift_cluster_encryption_in_transit_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.redshift_cluster_kms_enabled, + control.s3_bucket_default_encryption_enabled_kms, + control.s3_bucket_default_encryption_enabled, + control.s3_bucket_enforces_ssl, + control.sagemaker_endpoint_configuration_encryption_at_rest_enabled, + control.sagemaker_notebook_instance_encryption_at_rest_enabled, + control.secretsmanager_secret_encrypted_with_kms_cmk, + control.sns_topic_encrypted_at_rest + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_16" { + title = "Transmission Of Security And Privacy Attributes (SC-16)" + description = "Associate [Assignment: organization-defined security and privacy attributes] with information exchanged between systems and between system components." + children = [ + benchmark.nist_800_53_rev_5_sc_16_1 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_16_1" { + title = "SC-16(1) Integrity Verification" + description = "Verify the integrity of transmitted security and privacy attributes." + children = [ + control.cloudtrail_trail_validation_enabled, + control.s3_bucket_default_encryption_enabled, + control.s3_bucket_enforces_ssl, + control.s3_bucket_versioning_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_22" { + title = "Architecture And Provisioning For Name/Address Resolution Service (SC-22)" + description = "Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation." + children = [ + control.dynamodb_table_auto_scaling_enabled, + control.elb_application_lb_deletion_protection_enabled, + control.elb_classic_lb_cross_zone_load_balancing_enabled, + control.rds_db_instance_deletion_protection_enabled, + control.rds_db_instance_multiple_az_enabled, + control.vpc_vpn_tunnel_up + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_23" { + title = "Session Authenticity (SC-23)" + description = "Protect the authenticity of communications sessions." + children = [ + benchmark.nist_800_53_rev_5_sc_23_3, + benchmark.nist_800_53_rev_5_sc_23_5, + control.apigateway_rest_api_stage_use_ssl_certificate, + control.elb_application_lb_redirect_http_request_to_https, + control.elb_classic_lb_use_ssl_certificate, + control.elb_classic_lb_use_tls_https_listeners, + control.es_domain_node_to_node_encryption_enabled, + control.redshift_cluster_encryption_in_transit_enabled, + control.s3_bucket_enforces_ssl + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_23_3" { + title = "SC-23(3) Unique System-Generated Session Identifiers" + description = "Generate a unique session identifier for each session with [Assignment: organization-defined randomness requirements] and recognize only session identifiers that are system-generated." + children = [ + control.ec2_instance_uses_imdsv2, + control.iam_account_password_policy_min_length_14, + control.iam_group_user_role_no_inline_policies, + control.iam_policy_no_star_star, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.iam_root_user_no_access_keys, + control.iam_user_access_key_age_90, + control.iam_user_console_access_mfa_enabled, + control.iam_user_in_group, + control.iam_user_mfa_enabled, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.secretsmanager_secret_automatic_rotation_enabled, + control.secretsmanager_secret_rotated_as_scheduled, + control.secretsmanager_secret_unused_90_day + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_23_5" { + title = "SC-23(5) Allowed Certificate Authorities" + description = "Only allow the use of [Assignment: organization-defined certificate authorities] for verification of the establishment of protected sessions." + children = [ + control.elb_application_network_lb_use_ssl_certificate, + control.elb_classic_lb_use_ssl_certificate + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/ELB" + }) +} + +benchmark "nist_800_53_rev_5_sc_25" { + title = "Thin Nodes (SC-25)" + description = "Employ minimal functionality and information storage on the following system components: [Assignment: organization-defined system components]." + children = [ + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_in_vpc, + control.ec2_instance_not_publicly_accessible, + control.emr_cluster_master_nodes_no_public_ip, + control.es_domain_in_vpc, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys, + control.iam_user_no_inline_attached_policies, + control.lambda_function_in_vpc, + control.lambda_function_restrict_public_access, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_subnet_auto_assign_public_ip_disabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_28" { + title = "Protection Of Information At Rest (SC-28)" + description = "Protect the [Selection (one or more): confidentiality; integrity] of the following information at rest: [Assignment: organization-defined information at rest]." + children = [ + benchmark.nist_800_53_rev_5_sc_28_1, + benchmark.nist_800_53_rev_5_sc_28_2 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_28_1" { + title = "SC-28(1) Cryptographic Protection" + description = "Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on [Assignment: organization-defined system components or media]: [Assignment: organization-defined information]." + children = [ + control.apigateway_stage_cache_encryption_at_rest_enabled, + control.cloudtrail_trail_logs_encrypted_with_kms_cmk, + control.dynamodb_table_encrypted_with_kms_cmk, + control.ebs_attached_volume_encryption_enabled, + control.ec2_ebs_default_encryption_enabled, + control.efs_file_system_encrypt_data_at_rest, + control.es_domain_encryption_at_rest_enabled, + control.log_group_encryption_at_rest_enabled, + control.rds_db_instance_encryption_at_rest_enabled, + control.rds_db_snapshot_encrypted_at_rest, + control.redshift_cluster_encryption_logging_enabled, + control.redshift_cluster_kms_enabled, + control.s3_bucket_default_encryption_enabled_kms, + control.s3_bucket_default_encryption_enabled, + control.sagemaker_endpoint_configuration_encryption_at_rest_enabled, + control.sagemaker_notebook_instance_encryption_at_rest_enabled, + control.secretsmanager_secret_encrypted_with_kms_cmk, + control.sns_topic_encrypted_at_rest + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_28_2" { + title = "SC-28(2) Offline Storage" + description = "Remove the following information from online storage and store offline in a secure location: [Assignment: organization-defined information]." + children = [ + control.cloudwatch_log_group_retention_period_365 + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/CloudWatch" + }) +} + +benchmark "nist_800_53_rev_5_sc_36" { + title = "Distributed Processing And Storage (SC-36)" + description = "Distribute the following processing and storage components across multiple [Selection: physical locations; logical domains]: [Assignment: organization-defined processing and storage components]." + children = [ + benchmark.nist_800_53_rev_5_sc_36_1_a, + control.dynamodb_table_auto_scaling_enabled, + control.elb_classic_lb_cross_zone_load_balancing_enabled, + control.rds_db_instance_multiple_az_enabled, + control.vpc_vpn_tunnel_up + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_36_1_a" { + title = "SC-36(1)(a)" + description = "Employ polling techniques to identify potential faults, errors, or compromises to the following processing and storage components: [Assignment: organization-defined distributed processing and storage components]." + children = [ + control.autoscaling_group_with_lb_use_health_check, + control.cloudwatch_alarm_action_enabled, + control.elastic_beanstalk_enhanced_health_reporting_enabled, + control.lambda_function_dead_letter_queue_configured, + control.rds_db_instance_and_cluster_enhanced_monitoring_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_43" { + title = "Usage Restrictions (SC-43)" + description = "a. Establish usage restrictions and implementation guidelines for the following system components: [Assignment: organization-defined system components]; and b. Authorize, monitor, and control the use of such components within the system." + children = [ + benchmark.nist_800_53_rev_5_sc_43_b + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) +} + +benchmark "nist_800_53_rev_5_sc_43_b" { + title = "SC-43(b)" + description = "Authorize, monitor, and control the use of such components within the system." + children = [ + control.guardduty_enabled + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) +} \ No newline at end of file diff --git a/nist_800_53_rev_5/si.sp b/nist_800_53_rev_5/si.sp new file mode 100644 index 00000000..a1a61e22 --- /dev/null +++ b/nist_800_53_rev_5/si.sp @@ -0,0 +1,741 @@ +benchmark "nist_800_53_rev_5_si" { + title = "System and Information integrity (SI)" + description = "The SI control family correlates to controls that protect system and information integrity. These include flaw remediation, malicious code protection, information system monitoring, security alerts, software and firmware integrity, and spam protection." + children = [ + benchmark.nist_800_53_rev_5_si_1, + benchmark.nist_800_53_rev_5_si_2, + benchmark.nist_800_53_rev_5_si_3, + benchmark.nist_800_53_rev_5_si_4, + benchmark.nist_800_53_rev_5_si_5, + benchmark.nist_800_53_rev_5_si_7, + benchmark.nist_800_53_rev_5_si_10, + benchmark.nist_800_53_rev_5_si_12, + benchmark.nist_800_53_rev_5_si_13, + benchmark.nist_800_53_rev_5_si_19 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_1" { + title = "Policy And Procedures (SI-1)" + description = "a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] system and information integrity policy that: a). Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b). Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and c. Review and update the current system and information integrity: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]." + children = [ + benchmark.nist_800_53_rev_5_si_1_1_c, + benchmark.nist_800_53_rev_5_si_1_a_2, + benchmark.nist_800_53_rev_5_si_1_c_2 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_1_a_2" { + title = "SI-1(a)(2)" + description = "a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 2. Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls;." + children = [ + control.apigateway_rest_api_stage_use_ssl_certificate, + control.cloudtrail_trail_validation_enabled, + control.elb_application_lb_redirect_http_request_to_https, + control.elb_classic_lb_use_ssl_certificate, + control.elb_classic_lb_use_tls_https_listeners, + control.es_domain_node_to_node_encryption_enabled, + control.redshift_cluster_encryption_in_transit_enabled, + control.s3_bucket_enforces_ssl, + control.s3_bucket_versioning_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_1_c_2" { + title = "SI-1(c)(2)" + description = "c. Review and update the current system and information integrity: 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]." + children = [ + control.apigateway_rest_api_stage_use_ssl_certificate, + control.cloudtrail_trail_validation_enabled, + control.elb_application_lb_redirect_http_request_to_https, + control.elb_classic_lb_use_ssl_certificate, + control.elb_classic_lb_use_tls_https_listeners, + control.es_domain_node_to_node_encryption_enabled, + control.redshift_cluster_encryption_in_transit_enabled, + control.s3_bucket_enforces_ssl, + control.s3_bucket_versioning_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_1_1_c" { + title = "SI-1(1)(c)" + description = "Audit the use of the manual override capability." + children = [ + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_2" { + title = "Flaw Remediation (SI-2)" + description = "The organization: a.Identifies, reports, and corrects information system flaws; b.Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation; c.Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and d.Incorporates flaw remediation into the organizational configuration management process." + children = [ + benchmark.nist_800_53_rev_5_si_2_2, + benchmark.nist_800_53_rev_5_si_2_5, + benchmark.nist_800_53_rev_5_si_2_a, + benchmark.nist_800_53_rev_5_si_2_c, + benchmark.nist_800_53_rev_5_si_2_d + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_2_5" { + title = "SI-2(5) Automatic Software And Firmware Updated" + description = "Install [Assignment: organization-defined security-relevant software and firmware updates] automatically to [Assignment: organization-defined system components]." + children = [ + control.elastic_beanstalk_enhanced_health_reporting_enabled, + control.redshift_cluster_maintenance_settings_check, + control.ssm_managed_instance_compliance_patch_compliant + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_2_2" { + title = "SI-2(2) Automated Flaw RemediationN Status" + description = "Determine if system components have applicable security-relevant software and firmware updates installed using [Assignment: organization-defined automated mechanisms] [Assignment: organization-defined frequency]." + children = [ + control.elastic_beanstalk_enhanced_health_reporting_enabled, + control.redshift_cluster_maintenance_settings_check, + control.ssm_managed_instance_compliance_patch_compliant + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_2_a" { + title = "SI-2(a)" + description = "Identify, report, and correct system flaws." + children = [ + control.autoscaling_group_with_lb_use_health_check, + control.cloudwatch_alarm_action_enabled, + control.elastic_beanstalk_enhanced_health_reporting_enabled, + control.lambda_function_dead_letter_queue_configured, + control.rds_db_instance_and_cluster_enhanced_monitoring_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_2_c" { + title = "SI-2(c)" + description = "Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates." + children = [ + control.elastic_beanstalk_enhanced_health_reporting_enabled, + control.redshift_cluster_maintenance_settings_check, + control.ssm_managed_instance_compliance_patch_compliant + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_2_d" { + title = "SI-2(d)" + description = "Incorporate flaw remediation into the organizational configuration management process." + children = [ + control.elastic_beanstalk_enhanced_health_reporting_enabled, + control.redshift_cluster_maintenance_settings_check, + control.ssm_managed_instance_compliance_patch_compliant + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_3" { + title = "Malicious Code Protection (SI-3)" + description = "a. Implement [Selection (one or more): signature based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code; b. Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures; c. Configure malicious code protection mechanisms to: 1. Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more): endpoint; network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and 2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization-defined personnel or roles] in response to malicious code detection; and d. Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system." + children = [ + benchmark.nist_800_53_rev_5_si_3_8, + benchmark.nist_800_53_rev_5_si_3_c_2 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_3_c_2" { + title = "SI-3(c)(2)" + description = "c. Configure malicious code protection mechanisms to: 2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization-defined personnel or roles] in response to malicious code detection." + children = [ + control.ec2_instance_ssm_managed, + control.ssm_managed_instance_compliance_association_compliant, + control.ssm_managed_instance_compliance_patch_compliant + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_3_8" { + title = "SI-3(8) Detect Unauthorized Commands" + description = "a. Detect the following unauthorized operating system commands through the kernel application programming interface on [Assignment: organization-defined system hardware components]: [Assignment: organization-defined unauthorized operating system commands]; and b. [Selection (one or more): issue a warning; audit the command execution; prevent the execution of the command]." + children = [ + benchmark.nist_800_53_rev_5_si_3_8_a, + benchmark.nist_800_53_rev_5_si_3_8_b + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_3_8_a" { + title = "SI-3(8)(a)" + description = "Detect the following unauthorized operating system commands through the kernel application programming interface on [Assignment: organization-defined system hardware components]: [Assignment: organization-defined unauthorized operating system commands]." + children = [ + control.guardduty_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_3_8_b" { + title = "SI-3(8)(b)" + description = "[Selection (one or more): issue a warning; audit the command execution; prevent the execution of the command]." + children = [ + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_4" { + title = "System Monitoring (SI-4)" + description = "The organization: a.Monitors the information system to detect: 1. Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and 2.Unauthorized local, network, and remote connections; b. Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods]; c. Deploys monitoring devices: 1. Strategically within the information system to collect organization-determined essential information; and 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization; d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion; e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and g. Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]." + children = [ + benchmark.nist_800_53_rev_5_si_4_1, + benchmark.nist_800_53_rev_5_si_4_2, + benchmark.nist_800_53_rev_5_si_4_3, + benchmark.nist_800_53_rev_5_si_4_4, + benchmark.nist_800_53_rev_5_si_4_10, + benchmark.nist_800_53_rev_5_si_4_12, + benchmark.nist_800_53_rev_5_si_4_13, + benchmark.nist_800_53_rev_5_si_4_14, + benchmark.nist_800_53_rev_5_si_4_17, + benchmark.nist_800_53_rev_5_si_4_20, + benchmark.nist_800_53_rev_5_si_4_23, + benchmark.nist_800_53_rev_5_si_4_25, + benchmark.nist_800_53_rev_5_si_4_a, + benchmark.nist_800_53_rev_5_si_4_b, + benchmark.nist_800_53_rev_5_si_4_c, + benchmark.nist_800_53_rev_5_si_4_d + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_4_a" { + title = "SI-4(a)" + description = "Monitor the system to detect: 1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections." + children = [ + benchmark.nist_800_53_rev_5_si_4_a_1, + benchmark.nist_800_53_rev_5_si_4_a_2, + control.guardduty_enabled + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) +} + +benchmark "nist_800_53_rev_5_si_4_a_1" { + title = "SI-4(a)(1)" + description = "a. Monitor the system to detect: 1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections." + children = [ + control.guardduty_enabled + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) +} + +benchmark "nist_800_53_rev_5_si_4_a_2" { + title = "SI-4(a)(2)" + description = "a. Monitor the system to detect: 2. Unauthorized local, network, and remote connections." + children = [ + control.guardduty_enabled + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) +} + +benchmark "nist_800_53_rev_5_si_4_b" { + title = "SI-4(b)" + description = "Identify unauthorized use of the system through the following techniques and methods: [Assignment: organization-defined techniques and methods]." + children = [ + control.guardduty_enabled + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) +} + +benchmark "nist_800_53_rev_5_si_4_c" { + title = "SI-4(c)" + description = "c. Invoke internal monitoring capabilities or deploy monitoring devices: 1. Strategically within the system to collect organization-determined essential information; and 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization." + children = [ + control.guardduty_enabled + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) +} + +benchmark "nist_800_53_rev_5_si_4_d" { + title = "SI-4(d)" + description = "Analyze detected events and anomalies." + children = [ + control.cloudtrail_trail_validation_enabled + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/CloudTrail" + }) +} + +benchmark "nist_800_53_rev_5_si_4_1" { + title = "SI-4(1) System-Wide Intrusion Detection System" + description = "Connect and configure individual intrusion detection tools into a system-wide intrusion detection system." + children = [ + control.guardduty_enabled + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) +} + +benchmark "nist_800_53_rev_5_si_4_2" { + title = "SI-4(2) Automated Tools For Real-Time Analysis" + description = "Implement the following additional monitoring of privileged users: [Assignment: organization-defined additional monitoring]. Employ automated tools and mechanisms to support near real-time analysis of events." + children = [ + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudtrail_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.guardduty_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_4_3" { + title = "SI-4(3) Automated Tools And Mechanism Integration" + description = "Employ automated tools and mechanisms to integrate intrusion detection tools and mechanisms into access control and flow control mechanisms." + children = [ + control.guardduty_enabled + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) +} + +benchmark "nist_800_53_rev_5_si_4_4" { + title = "SI-4(4) Inbound and Outbound Communications Traffic" + description = "The information system monitors inbound and outbound communications traffic continuously for unusual or unauthorized activities or conditions." + children = [ + benchmark.nist_800_53_rev_5_si_4_4_a, + benchmark.nist_800_53_rev_5_si_4_4_b + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_4_4_a" { + title = "SI-4(4)(a)" + description = "Determine criteria for unusual or unauthorized activities or conditions for inbound and outbound communications traffic." + children = [ + control.guardduty_enabled + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) +} + +benchmark "nist_800_53_rev_5_si_4_4_b" { + title = "SI-4(4)(b)" + description = "Monitor inbound and outbound communications traffic [Assignment: organization-defined frequency] for [Assignment: organization-defined unusual or unauthorized activities or conditions]." + children = [ + control.guardduty_enabled + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) +} + +benchmark "nist_800_53_rev_5_si_4_10" { + title = "SI-4(10) Visibility Of Encrypted Communications" + description = "Make provisions so that [Assignment: organization-defined encrypted communications traffic] is visible to [Assignment: organization-defined system monitoring tools and mechanisms]." + children = [ + control.guardduty_enabled + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) +} + +benchmark "nist_800_53_rev_5_si_4_12" { + title = "SI-4(12) Automated Organization-Generated Alerts" + description = "Alert [Assignment: organization-defined personnel or roles] using [Assignment: organization-defined automated mechanisms] when the following indications of inappropriate or unusual activities with security or privacy implications occur: [Assignment: organization-defined activities that trigger alerts]." + children = [ + control.cloudwatch_alarm_action_enabled + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/CloudWatch" + }) +} + +benchmark "nist_800_53_rev_5_si_4_13" { + title = "SI-4(13) Analyze Traffic And Event Patterns" + description = "a. Analyze communications traffic and event patterns for the system; b. Develop profiles representing common traffic and event patterns; and c. Use the traffic and event profiles in tuning system-monitoring devices." + children = [ + benchmark.nist_800_53_rev_5_si_4_13_a + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_4_13_a" { + title = "SI-4(13)(a)" + description = "Analyze communications traffic and event patterns for the system." + children = [ + control.guardduty_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_4_14" { + title = "SI-4(14) Wireless Intrusion Detection" + description = "Employ a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises or breaches to the system." + children = [ + control.guardduty_enabled + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) +} + +benchmark "nist_800_53_rev_5_si_4_17" { + title = "SI-4(17) Integrated Situational Awareness" + description = "Correlate information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness." + children = [ + control.apigateway_stage_logging_enabled, + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudwatch_log_group_retention_period_365, + control.elb_application_classic_lb_logging_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_4_20" { + title = "SI-4(20) Privileged Users" + description = "Implement the following additional monitoring of privileged users: [Assignment: organization-defined additional monitoring]." + children = [ + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_4_23" { + title = "SI-4(23) Host-Based Devices" + description = "Implement the following host-based monitoring mechanisms at [Assignment: organization-defined system components]: [Assignment: organization-defined host-based monitoring mechanisms]." + children = [ + control.guardduty_enabled + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) +} + +benchmark "nist_800_53_rev_5_si_4_25" { + title = "SI-4(25) Optimize Network Traffic Analysis" + description = "Provide visibility into network traffic at external and key internal system interfaces to optimize the effectiveness of monitoring devices." + children = [ + control.guardduty_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_5" { + title = "Secuity Alerts, Advisories, And Directives (SI-5)" + description = "a. Receive system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis; b. Generate internal security alerts, advisories, and directives as deemed necessary; c. Disseminate security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and d. Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance." + children = [ + benchmark.nist_800_53_rev_5_si_5_1, + benchmark.nist_800_53_rev_5_si_5_b + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_5_1" { + title = "SI-5(1) Automated Alerts And Advisories" + description = "Broadcast security alert and advisory information throughout the organization using [Assignment: organization-defined automated mechanisms]." + children = [ + control.cloudwatch_alarm_action_enabled, + control.guardduty_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_5_b" { + title = "SI-5(b)" + description = "Generate internal security alerts, advisories, and directives as deemed necessary." + children = [ + control.cloudwatch_alarm_action_enabled, + control.guardduty_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_7" { + title = "Software, Firmware, and Information Integrity (SI-7)" + description = "a. Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: [Assignment: organization-defined software, firmware, and information]; and b. Take the following actions when unauthorized changes to the software, firmware, and information are detected: [Assignment: organization-defined actions]." + children = [ + benchmark.nist_800_53_rev_5_si_7_1, + benchmark.nist_800_53_rev_5_si_7_3, + benchmark.nist_800_53_rev_5_si_7_7, + benchmark.nist_800_53_rev_5_si_7_8, + benchmark.nist_800_53_rev_5_si_7_a + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_7_1" { + title = "SI-7(1) Integrity Checks" + description = "Perform an integrity check of [Assignment: organization-defined software, firmware, and information] [Selection (one or more): at startup; at [Assignment: organization-defined transitional states or security-relevant events]; [Assignment: organization-defined frequency]]." + children = [ + control.cloudtrail_trail_validation_enabled + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/CloudTrail" + }) +} + +benchmark "nist_800_53_rev_5_si_7_3" { + title = "SI-7(3) Centrally Managed Integrity Tools" + description = "Employ centrally managed integrity verification tools." + children = [ + control.cloudtrail_trail_validation_enabled + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/CloudTrail" + }) +} + +benchmark "nist_800_53_rev_5_si_7_7" { + title = "SI-7(7) Integration Of Detection And Response" + description = "Incorporate the detection of the following unauthorized changes into the organizational incident response capability: [Assignment: organization-defined security-relevant changes to the system]." + children = [ + control.cloudtrail_trail_validation_enabled + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/CloudTrail" + }) +} + +benchmark "nist_800_53_rev_5_si_7_8" { + title = "SI-7(8) Auditing Capability For Significant Events" + description = "Upon detection of a potential integrity violation, provide the capability to audit the event and initiate the following actions: [Selection (one or more): generate an audit record; alert current user; alert [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined other actions]]." + children = [ + control.cloudtrail_multi_region_trail_enabled, + control.wafv2_web_acl_logging_enabled, + control.apigateway_stage_logging_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudtrail_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.elb_application_classic_lb_logging_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.vpc_flow_logs_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_7_a" { + title = "SI-7(a)" + description = "Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: [Assignment: organization-defined software, firmware, and information]." + children = [ + control.cloudtrail_trail_validation_enabled + ] + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/CloudTrail" + }) +} + +benchmark "nist_800_53_rev_5_si_10" { + title = "Information Input Validation (SI-10)" + description = "Check the validity of the following information inputs: [Assignment: organization-defined information inputs to the system]." + children = [ + benchmark.nist_800_53_rev_5_si_10_1 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_10_1" { + title = "SI-10(1) Manual Override Capability" + description = "a. Provide a manual override capability for input validation of the following information inputs: [Assignment: organization-defined inputs defined in the base control (SI-10)]; b. Restrict the use of the manual override capability to only [Assignment: organization-defined authorized individuals]; and c. Audit the use of the manual override capability." + children = [ + benchmark.nist_800_53_rev_5_si_10_1_c + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_10_1_c" { + title = "SI-10(1)(c)" + description = "Audit the use of the manual override capability." + children = [ + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_12" { + title = "Information Management and Retention (SI-12)" + description = "Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements." + children = [ + control.cloudwatch_log_group_retention_period_365 + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/CloudWatch" + }) +} + +benchmark "nist_800_53_rev_5_si_13" { + title = "Predictable Failure Prevention (SI-13)" + description = "a. Determine mean time to failure (MTTF) for the following system components in specific environments of operation: [Assignment: organization-defined system components]; and b. Provide substitute system components and a means to exchange active and standby components in accordance with the following criteria: Provide [Selection: real-time; near real-time] [Assignment: organization-defined failover capability] for the system.[Assignment: organization-defined MTTF substitution criteria]." + children = [ + benchmark.nist_800_53_rev_5_si_13_5 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_13_5" { + title = "SI-13(5) Failover Capability" + description = "Provide [Selection: real-time; near real-time] [Assignment: organization-defined failover capability] for the system." + children = [ + control.dynamodb_table_auto_scaling_enabled, + control.dynamodb_table_in_backup_plan, + control.dynamodb_table_point_in_time_recovery_enabled, + control.ebs_volume_in_backup_plan, + control.efs_file_system_in_backup_plan, + control.elasticache_redis_cluster_automatic_backup_retention_15_days, + control.elb_classic_lb_cross_zone_load_balancing_enabled, + control.rds_db_instance_backup_enabled, + control.rds_db_instance_deletion_protection_enabled, + control.rds_db_instance_multiple_az_enabled, + control.rds_db_instance_protected_by_backup_plan, + control.redshift_cluster_automatic_snapshots_min_7_days, + control.s3_bucket_cross_region_replication_enabled, + control.s3_bucket_versioning_enabled, + control.vpc_vpn_tunnel_up + ] + + tags = local.nist_800_53_rev_5_common_tags +} + + +benchmark "nist_800_53_rev_5_si_19" { + title = "De-Identification (SI-19)" + description = "a. Remove the following elements of personally identifiable information from datasets: [Assignment: organization-defined elements of personally identifiable information]; and b. Evaluate [Assignment: organization-defined frequency] for effectiveness of de-identification." + children = [ + benchmark.nist_800_53_rev_5_si_19_4 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_19_4" { + title = "SI-19(4) Removal, Masking, Encryption, Hashing, Or Replacement Of Direct Identifiers" + description = "Remove, mask, encrypt, hash, or replace direct identifiers in a dataset." + children = [ + control.apigateway_stage_cache_encryption_at_rest_enabled, + control.cloudtrail_trail_logs_encrypted_with_kms_cmk, + control.dynamodb_table_encrypted_with_kms_cmk, + control.ebs_attached_volume_encryption_enabled, + control.ec2_ebs_default_encryption_enabled, + control.efs_file_system_encrypt_data_at_rest, + control.es_domain_encryption_at_rest_enabled, + control.log_group_encryption_at_rest_enabled, + control.rds_db_instance_encryption_at_rest_enabled, + control.rds_db_snapshot_encrypted_at_rest, + control.redshift_cluster_encryption_logging_enabled, + control.redshift_cluster_kms_enabled, + control.s3_bucket_default_encryption_enabled_kms, + control.s3_bucket_default_encryption_enabled, + control.sagemaker_endpoint_configuration_encryption_at_rest_enabled, + control.sagemaker_notebook_instance_encryption_at_rest_enabled, + control.secretsmanager_secret_encrypted_with_kms_cmk + ] + + tags = local.nist_800_53_rev_5_common_tags +} diff --git a/query/ec2/ec2_instance_iam_profile_attached.sql b/query/ec2/ec2_instance_iam_profile_attached.sql new file mode 100644 index 00000000..7e32e2c0 --- /dev/null +++ b/query/ec2/ec2_instance_iam_profile_attached.sql @@ -0,0 +1,16 @@ +select + -- Required Columns + arn as resource, + case + when iam_instance_profile_id is not null then 'ok' + else 'alarm' + end as status, + case + when iam_instance_profile_id is not null then title || ' IAM profile attached.' + else title || ' IAM profile not attached.' + end as reason, + -- Additional Dimensions + region, + account_id +from + aws_ec2_instance; \ No newline at end of file diff --git a/query/ec2/ec2_instance_protected_by_backup_plan.sql b/query/ec2/ec2_instance_protected_by_backup_plan.sql index 9b4743ad..3b94a875 100644 --- a/query/ec2/ec2_instance_protected_by_backup_plan.sql +++ b/query/ec2/ec2_instance_protected_by_backup_plan.sql @@ -22,4 +22,4 @@ select i.account_id from aws_ec2_instance as i - left join backup_protected_instance as b on i.arn = b.arn; + left join backup_protected_instance as b on i.arn = b.arn; \ No newline at end of file diff --git a/query/ec2/ec2_stopped_instance_30_days.sql b/query/ec2/ec2_stopped_instance_30_days.sql index a1ab9a69..0c3eaf12 100644 --- a/query/ec2/ec2_stopped_instance_30_days.sql +++ b/query/ec2/ec2_stopped_instance_30_days.sql @@ -14,4 +14,4 @@ select region, account_id from - aws_ec2_instance; + aws_ec2_instance; \ No newline at end of file diff --git a/query/iam/account_part_of_organizations.sql b/query/iam/account_part_of_organizations.sql new file mode 100644 index 00000000..8ce857e5 --- /dev/null +++ b/query/iam/account_part_of_organizations.sql @@ -0,0 +1,16 @@ +select + -- Required Columns + arn as resource, + case + when organization_id is not null then 'ok' + else 'alarm' + end as status, + case + when organization_id is not null then title || ' is part of organization(s).' + else title || ' is not part of organization.' + end as reason, + -- Additional Dimensions + region, + account_id +from + aws_account; \ No newline at end of file diff --git a/query/secretsmanager/secretsmanager_secret_encrypted_with_kms_cmk.sql b/query/secretsmanager/secretsmanager_secret_encrypted_with_kms_cmk.sql new file mode 100644 index 00000000..d57a478e --- /dev/null +++ b/query/secretsmanager/secretsmanager_secret_encrypted_with_kms_cmk.sql @@ -0,0 +1,31 @@ +with encryption_keys as ( + select + distinct s.arn, + k.aliases as alias + from + aws_secretsmanager_secret as s + left join aws_kms_key as k on k.arn = s.kms_key_id + where + k.aliases is not null +) +select + -- Required Columns + s.arn as resource, + case + when kms_key_id is null + or kms_key_id = 'alias/aws/secretsmanager' + or k.alias @> '[{"AliasName":"alias/aws/secretsmanager"}]'then 'ok' + else 'alarm' + end as status, + case + when kms_key_id is null + or kms_key_id = 'alias/aws/secretsmanager' + or k.alias @> '[{"AliasName":"alias/aws/secretsmanager"}]' then title || ' encrypted with CMK.' + else title || ' not encrypted with CMK.' + end as reason, + -- Additional Dimensions + region, + account_id +from + aws_secretsmanager_secret as s + left join encryption_keys as k on s.arn = k.arn; \ No newline at end of file diff --git a/query/secretsmanager/secretsmanager_secret_unused_90_day.sql b/query/secretsmanager/secretsmanager_secret_unused_90_day.sql new file mode 100644 index 00000000..7023c6ef --- /dev/null +++ b/query/secretsmanager/secretsmanager_secret_unused_90_day.sql @@ -0,0 +1,18 @@ +select + -- Required Columns + arn as resource, + case + when last_accessed_date is null then 'alarm' + when date(current_date) - date(last_accessed_date) <= 90 then 'ok' + else 'alarm' + end as status, + case + when last_accessed_date is null then title || ' never accessed.' + else + title || ' last used ' || extract(day from current_timestamp - last_accessed_date) || ' day(s) ago.' + end as reason, + -- Additional Dimensions + region, + account_id +from + aws_secretsmanager_secret; \ No newline at end of file