From 5953f97f0452fc78e29bc20c7a362f5846658210 Mon Sep 17 00:00:00 2001 From: Khushboo Date: Fri, 20 May 2022 14:50:56 +0530 Subject: [PATCH 01/20] initial commit --- nist_800_53_rev_5/ac.sp | 1385 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 1385 insertions(+) create mode 100644 nist_800_53_rev_5/ac.sp diff --git a/nist_800_53_rev_5/ac.sp b/nist_800_53_rev_5/ac.sp new file mode 100644 index 00000000..410e9102 --- /dev/null +++ b/nist_800_53_rev_5/ac.sp @@ -0,0 +1,1385 @@ +benchmark "nist_800_53_rev_5_ac" { + title = benchmark.nist_800_53_rev_4_ac.title + description = benchmark.nist_800_53_rev_4_ac.description + children = [ + benchmark.nist_800_53_rev_5_ac_2, + benchmark.nist_800_53_rev_5_ac_3, + benchmark.nist_800_53_rev_5_ac_4, + benchmark.nist_800_53_rev_5_ac_5, + benchmark.nist_800_53_rev_5_ac_6, + benchmark.nist_800_53_rev_5_ac_7, + benchmark.nist_800_53_rev_5_ac_16, + benchmark.nist_800_53_rev_5_ac_17, + benchmark.nist_800_53_rev_5_ac_24 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_2" { + title = benchmark.nist_800_53_rev_4_ac_2.title + description = benchmark.nist_800_53_rev_4_ac_2.description + children = [ + benchmark.nist_800_53_rev_5_ac_2_1, + benchmark.nist_800_53_rev_5_ac_2_12, + benchmark.nist_800_53_rev_5_ac_2_3, + benchmark.nist_800_53_rev_5_ac_2_4, + benchmark.nist_800_53_rev_5_ac_2_6, + benchmark.nist_800_53_rev_5_ac_2_d_1, + benchmark.nist_800_53_rev_5_ac_2_i_2, + benchmark.nist_800_53_rev_5_ac_2_g, + benchmark.nist_800_53_rev_5_ac_2_j, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_2_d_1" { + title = "AC-2d.1" + description = "d. Specify: 1. Authorized users of the system;personnel termination and transfer processes." + children = [ + control.iam_account_password_policy_min_length_14 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_2_g" { + title = "AC-2(g)" + description = "The organization: g. Monitors the use of information system accounts." + children = [ + control.iam_user_unused_credentials_90 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_2_i_2" { + title = "AC-2i.2" + description = "i. Authorize access to the system based on: 2. Intended system usage;" + children = [ + control.iam_group_user_role_no_inline_policies, + control.iam_policy_no_star_star, + control.iam_user_in_group, + control.iam_user_no_inline_attached_policies + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_2_j" { + title = "AC-2(j)" + description = "The organization: j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]." + children = [ + control.iam_user_unused_credentials_90, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_2_1" { + title = "AC-2(1) Automated System Account Management" + description = "Support the management of system accounts using [Assignment: organization-defined automated mechanisms]." + children = [ + control.iam_group_user_role_no_inline_policies, + control.iam_user_access_key_age_90, + control.iam_account_password_policy_min_length_14, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys, + control.iam_user_in_group, + control.iam_user_mfa_enabled, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.iam_user_console_access_mfa_enabled, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.secretsmanager_secret_automatic_rotation_enabled, + control.secretsmanager_secret_rotated_as_scheduled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_2_3" { + title = "AC-2(3) Disable Accounts" + description = "Disable accounts within [Assignment: organization-defined time period] when the accounts: (a) Have expired; (b) Are no longer associated with a user or individual; (c) Are in violation of organizational policy; or (d) Have been inactive for [Assignment: organization-defined time period]." + children = [ + control.iam_account_password_policy_min_length_14, + control.iam_user_unused_credentials_90, + benchmark.nist_800_53_rev_5_ac_2_3_a, + benchmark.nist_800_53_rev_5_ac_2_3_b, + benchmark.nist_800_53_rev_5_ac_2_3_c, + benchmark.nist_800_53_rev_5_ac_2_3_d, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_2_3_a" { + title = "AC-2(3)(a)" + description = "Disable accounts within [Assignment: organization-defined time period] when the accounts: (a) Have expired;" + children = [ + control.iam_user_unused_credentials_90, + control.iam_account_password_policy_min_length_14 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_2_3_b" { + title = "AC-2(3)(b)" + description = "Disable accounts within [Assignment: organization-defined time period] when the accounts: (b) Are no longer associated with a user or individual;" + children = [ + control.iam_user_unused_credentials_90, + control.iam_account_password_policy_min_length_14 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_2_3_c" { + title = "AC-2(3)(c)" + description = "Disable accounts within [Assignment: organization-defined time period] when the accounts: (c) Are in violation of organizational policy;" + children = [ + control.iam_user_unused_credentials_90, + control.iam_account_password_policy_min_length_14 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_2_3_d" { + title = "AC-2(3)(d)" + description = "Disable accounts within [Assignment: organization-defined time period] when the accounts: (d) Have been inactive for [Assignment: organization-defined time period]." + children = [ + control.iam_user_unused_credentials_90, + control.iam_account_password_policy_min_length_14 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_2_4" { + title = "AC-2(4) Automated Audit Actions" + description = "Automatically audit account creation, modification, enabling, disabling, and removal actions." + children = [ + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_2_6" { + title = "AC-2(6) Dynamic Privilege Management" + description = "Implement [Assignment: organization-defined dynamic privilege management capabilities]." + children = [ + control.ec2_instance_uses_imdsv2, + control.iam_group_user_role_no_inline_policies, + control.ec2_instance_in_vpc, + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_not_publicly_accessible, + control.es_domain_in_vpc, + control.emr_cluster_master_nodes_no_public_ip, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys, + control.iam_user_in_group, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.lambda_function_in_vpc, + control.lambda_function_restrict_public_access, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_subnet_auto_assign_public_ip_disabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_2_12" { + title = benchmark.nist_800_53_rev_4_ac_2_12.title + description = benchmark.nist_800_53_rev_4_ac_2_12.description + children = [ + benchmark.nist_800_53_rev_5_ac_2_12_a + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_2_12_a" { + title = "AC-2(12)(a)" + description = "(a) Monitor system accounts for [Assignment: organization-defined atypical usage]" + children = [ + control.guardduty_enabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_3" { + title = "Access Enforcement (AC-3)" + description = "Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies." + children = [ + control.autoscaling_launch_config_public_ip_disabled, + control.ec2_instance_uses_imdsv2, + control.ecs_task_definition_user_for_host_mode_check, + control.iam_group_user_role_no_inline_policies, + control.iam_all_policy_no_service_wild_card, + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_not_publicly_accessible, + control.es_domain_in_vpc, + control.emr_cluster_master_nodes_no_public_ip, + control.iam_policy_no_star_star, + control.iam_user_in_group, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.lambda_function_restrict_public_access, + control.lambda_function_in_vpc, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_subnet_auto_assign_public_ip_disabled, + benchmark.nist_800_53_rev_5_ac_3_1, + benchmark.nist_800_53_rev_5_ac_3_2, + benchmark.nist_800_53_rev_5_ac_3_3, + benchmark.nist_800_53_rev_5_ac_3_4, + benchmark.nist_800_53_rev_5_ac_3_7, + benchmark.nist_800_53_rev_5_ac_3_8, + benchmark.nist_800_53_rev_5_ac_3_10, + benchmark.nist_800_53_rev_5_ac_3_12, + benchmark.nist_800_53_rev_5_ac_3_13, + benchmark.nist_800_53_rev_5_ac_3_15 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_3_1" { + title = "AC-3(1) Restricted Access To Privileged Functions" + description = "Employ an audited override of automated access control mechanisms under [Assignment: organization-defined conditions] by [Assignment: organization-defined roles]." + children = [ + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudtrail_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_3_2" { + title = "AC-3(2) Dual Authorization" + description = "Enforce dual authorization for [Assignment: organization-defined privileged commands and/or other organization-defined actions]." + children = [ + control.iam_user_mfa_enabled, + control.iam_user_console_access_mfa_enabled, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_3_3" { + title = "AC-3(3) Mandatory Access Control" + description = "Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy, and where the policy: (a) Is uniformly enforced across the covered subjects and objects within the system; (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (1) Passing the information to unauthorized subjects or objects; (2) Granting its privileges to other subjects; (3) Changing one or more security attributes (specified by the policy) on subjects, objects, the system, or system components; (4) Choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects; and (5) Changing the rules governing access control; and (c) Specifies that [Assignment: organization-defined subjects] may explicitly be granted [Assignment: organization-defined privileges] such that they are not limited by any defined subset (or all) of the above constraints." + children = [ + control.ec2_instance_uses_imdsv2, + control.iam_group_user_role_no_inline_policies, + control.iam_user_access_key_age_90, + control.iam_account_password_policy_min_length_14, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys, + control.iam_user_in_group, + control.iam_user_mfa_enabled, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.iam_user_console_access_mfa_enabled, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.secretsmanager_secret_automatic_rotation_enabled, + control.secretsmanager_secret_rotated_as_scheduled, + benchmark.nist_800_53_rev_5_ac_3_3_a, + benchmark.nist_800_53_rev_5_ac_3_3_b_1, + benchmark.nist_800_53_rev_5_ac_3_3_b_2, + benchmark.nist_800_53_rev_5_ac_3_3_b_3, + benchmark.nist_800_53_rev_5_ac_3_3_b_4, + benchmark.nist_800_53_rev_5_ac_3_3_b_5, + benchmark.nist_800_53_rev_5_ac_3_3_c, + + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_3_3_a" { + title = "AC-3(3)(a)" + description = "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (a) Is uniformly enforced across the covered subjects and objects within the system;" + children = [ + control.ec2_instance_uses_imdsv2, + control.iam_group_user_role_no_inline_policies, + control.iam_user_access_key_age_90, + control.iam_account_password_policy_min_length_14, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys, + control.iam_user_in_group, + control.iam_user_mfa_enabled, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.iam_user_console_access_mfa_enabled, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.secretsmanager_secret_automatic_rotation_enabled, + control.secretsmanager_secret_rotated_as_scheduled + + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_3_3_b_1" { + title = "AC-3(3)(b)(1)" + description = "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (1) Passing the information to unauthorized subjects or objects;" + children = [ + control.ec2_instance_uses_imdsv2, + control.iam_group_user_role_no_inline_policies, + control.iam_user_access_key_age_90, + control.iam_account_password_policy_min_length_14, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys, + control.iam_user_in_group, + control.iam_user_mfa_enabled, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.iam_user_console_access_mfa_enabled, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.secretsmanager_secret_automatic_rotation_enabled, + control.secretsmanager_secret_rotated_as_scheduled + + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_3_3_b_2" { + title = "AC-3(3)(b)(2)" + description = "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (2) Granting its privileges to other subjects;" + children = [ + control.ec2_instance_uses_imdsv2, + control.iam_group_user_role_no_inline_policies, + control.iam_user_access_key_age_90, + control.iam_account_password_policy_min_length_14, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys, + control.iam_user_in_group, + control.iam_user_mfa_enabled, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.iam_user_console_access_mfa_enabled, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.secretsmanager_secret_automatic_rotation_enabled, + control.secretsmanager_secret_rotated_as_scheduled + + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_3_3_b_3" { + title = "AC-3(3)(b)(3)" + description = "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (3) Changing one or more security attributes (specified by the policy) on subjects, objects, the system, or system components;" + children = [ + control.ec2_instance_uses_imdsv2, + control.iam_group_user_role_no_inline_policies, + control.iam_user_access_key_age_90, + control.iam_account_password_policy_min_length_14, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys, + control.iam_user_in_group, + control.iam_user_mfa_enabled, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.iam_user_console_access_mfa_enabled, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.secretsmanager_secret_automatic_rotation_enabled, + control.secretsmanager_secret_rotated_as_scheduled + + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_3_3_b_4" { + title = "AC-3(3)(b)(4)" + description = "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (4) Choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects;" + children = [ + control.ec2_instance_uses_imdsv2, + control.iam_group_user_role_no_inline_policies, + control.iam_user_access_key_age_90, + control.iam_account_password_policy_min_length_14, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys, + control.iam_user_in_group, + control.iam_user_mfa_enabled, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.iam_user_console_access_mfa_enabled, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.secretsmanager_secret_automatic_rotation_enabled, + control.secretsmanager_secret_rotated_as_scheduled + + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_3_3_b_5" { + title = "AC-3(3)(b)(5)" + description = "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (5) Changing the rules governing access;" + children = [ + control.ec2_instance_uses_imdsv2, + control.iam_group_user_role_no_inline_policies, + control.iam_user_access_key_age_90, + control.iam_account_password_policy_min_length_14, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys, + control.iam_user_in_group, + control.iam_user_mfa_enabled, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.iam_user_console_access_mfa_enabled, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.secretsmanager_secret_automatic_rotation_enabled, + control.secretsmanager_secret_rotated_as_scheduled + + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_3_3_c" { + title = "AC-3(3)(c)" + description = "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (c) Specifies that [Assignment: organization-defined subjects] may explicitly be granted [Assignment: organization-defined privileges] such that they are not limited by any defined subset (or all) of the above constraints." + children = [ + control.ec2_instance_uses_imdsv2, + control.iam_group_user_role_no_inline_policies, + control.iam_user_access_key_age_90, + control.iam_account_password_policy_min_length_14, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys, + control.iam_user_in_group, + control.iam_user_mfa_enabled, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.iam_user_console_access_mfa_enabled, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.secretsmanager_secret_automatic_rotation_enabled, + control.secretsmanager_secret_rotated_as_scheduled + + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_3_4" { + title = "AC-3(4) Discretionary Access Control" + description = "Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (a) Pass the information to any other subjects or objects; (b) Grant its privileges to other subjects; (c) Change security attributes on subjects, objects, the system, or the system’s components; (d) Choose the security attributes to be associated with newly created or revised objects; or (e) Change the rules governing access control." + children = [ + control.ec2_instance_uses_imdsv2, + control.iam_group_user_role_no_inline_policies, + control.iam_user_access_key_age_90, + control.iam_account_password_policy_min_length_14, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys, + control.iam_user_in_group, + control.iam_user_mfa_enabled, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.iam_user_console_access_mfa_enabled, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.secretsmanager_secret_automatic_rotation_enabled, + control.secretsmanager_secret_rotated_as_scheduled, + benchmark.nist_800_53_rev_5_ac_3_4_a, + benchmark.nist_800_53_rev_5_ac_3_4_b, + benchmark.nist_800_53_rev_5_ac_3_4_c, + benchmark. nist_800_53_rev_5_ac_3_4_d, + benchmark.nist_800_53_rev_5_ac_3_4_e + + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_3_4_a" { + title = "AC-3(4)(a)" + description = "Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (a) Pass the information to any other subjects or objects;" + children = [ + control.ec2_instance_uses_imdsv2, + control.iam_group_user_role_no_inline_policies, + control.iam_user_access_key_age_90, + control.iam_account_password_policy_min_length_14, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys, + control.iam_user_in_group, + control.iam_user_mfa_enabled, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.iam_user_console_access_mfa_enabled, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.secretsmanager_secret_automatic_rotation_enabled, + control.secretsmanager_secret_rotated_as_scheduled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_3_4_b" { + title = "AC-3(4)(b)" + description = "Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (b) Grant its privileges to other subjects;" + children = [ + control.ec2_instance_uses_imdsv2, + control.iam_group_user_role_no_inline_policies, + control.iam_user_access_key_age_90, + control.iam_account_password_policy_min_length_14, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys, + control.iam_user_in_group, + control.iam_user_mfa_enabled, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.iam_user_console_access_mfa_enabled, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.secretsmanager_secret_automatic_rotation_enabled, + control.secretsmanager_secret_rotated_as_scheduled, + benchmark.nist_800_53_rev_5_ac_3_4_a + + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_3_4_c" { + title = "AC-3(4)(c)" + description = "Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (c) Change security attributes on subjects, objects, the system, or the system’s components;" + children = [ + control.ec2_instance_uses_imdsv2, + control.iam_group_user_role_no_inline_policies, + control.iam_user_access_key_age_90, + control.iam_account_password_policy_min_length_14, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys, + control.iam_user_in_group, + control.iam_user_mfa_enabled, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.iam_user_console_access_mfa_enabled, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.secretsmanager_secret_automatic_rotation_enabled, + control.secretsmanager_secret_rotated_as_scheduled, + benchmark.nist_800_53_rev_5_ac_3_4_a + + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_3_4_d" { + title = "AC-3(4)(d)" + description = "Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (d) Choose the security attributes to be associated with newly created or revised objects;" + children = [ + control.ec2_instance_uses_imdsv2, + control.iam_group_user_role_no_inline_policies, + control.iam_user_access_key_age_90, + control.iam_account_password_policy_min_length_14, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys, + control.iam_user_in_group, + control.iam_user_mfa_enabled, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.iam_user_console_access_mfa_enabled, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.secretsmanager_secret_automatic_rotation_enabled, + control.secretsmanager_secret_rotated_as_scheduled, + benchmark.nist_800_53_rev_5_ac_3_4_a + + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_3_4_e" { + title = "AC-3(4)(e)" + description = "Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (e) Change the rules governing access." + children = [ + control.ec2_instance_uses_imdsv2, + control.iam_group_user_role_no_inline_policies, + control.iam_user_access_key_age_90, + control.iam_account_password_policy_min_length_14, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys, + control.iam_user_in_group, + control.iam_user_mfa_enabled, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.iam_user_console_access_mfa_enabled, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.secretsmanager_secret_automatic_rotation_enabled, + control.secretsmanager_secret_rotated_as_scheduled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_3_7" { + title = "AC-3(7) Role-Based Access Control" + description = "Enforce a role-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined roles and users authorized to assume such roles]." + children = [ + control.ec2_instance_uses_imdsv2, + control.iam_group_user_role_no_inline_policies, + control.ec2_instance_in_vpc, + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_not_publicly_accessible, + control.es_domain_in_vpc, + control.iam_policy_no_star_star, + control.emr_cluster_master_nodes_no_public_ip, + control.iam_root_user_no_access_keys, + control.iam_user_in_group, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.lambda_function_in_vpc, + control.lambda_function_restrict_public_access, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_subnet_auto_assign_public_ip_disabled, + + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_3_8" { + title = "AC-3(8) Revocation Of Access Authorizations" + description = "Enforce the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on [Assignment: organization-defined rules governing the timing of revocations of access authorizations]." + children = [ + control.ec2_instance_uses_imdsv2, + control.iam_group_user_role_no_inline_policies, + control.iam_user_access_key_age_90, + control.iam_account_password_policy_min_length_14, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys, + control.iam_user_in_group, + control.iam_user_mfa_enabled, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.iam_user_console_access_mfa_enabled, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.secretsmanager_secret_automatic_rotation_enabled, + control.secretsmanager_secret_rotated_as_scheduled, + + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_3_10" { + title = "AC-3(8) Revocation Of Access Authorizations" + description = "Employ an audited override of automated access mechanisms under [Assignment: organization-defined conditions] by [Assignment: organization-defined roles]." + children = [ + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudtrail_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_3_12" { + title = "AC-3(12) Assert And Enforce Application Access" + description = "a. Require applications to assert, as part of the installation process, the access needed to the following system applications and functions: [Assignment: organization-defined system applications and functions];b. Provide an enforcement mechanism to prevent unauthorized access; and c. Approve access changes after initial installation of the application." + children = [ + benchmark.nist_800_53_rev_5_ac_3_12_a, + benchmark.nist_800_53_rev_5_ac_3_12_b + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_3_12_a" { + title = "AC-3(12)(a)" + description = "(a) Require applications to assert, as part of the installation process, the access needed to the following system applications and functions: [Assignment: organization-defined system applications and functions];" + children = [ + control.ec2_instance_uses_imdsv2, + control.iam_group_user_role_no_inline_policies, + control.iam_user_access_key_age_90, + control.iam_account_password_policy_min_length_14, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys, + control.iam_user_in_group, + control.iam_user_mfa_enabled, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.iam_user_console_access_mfa_enabled, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.secretsmanager_secret_automatic_rotation_enabled, + control.secretsmanager_secret_rotated_as_scheduled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_3_12_b" { + title = "AC-3(12)(b)" + description = "(b) Provide an enforcement mechanism to prevent unauthorized access;" + children = [ + control.guardduty_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_3_13" { + title = "AC-3(13) Attribute-Based Access Control" + description = "Enforce attribute-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined attributes to assume access permissions]." + children = [ + control.ec2_instance_uses_imdsv2, + control.iam_group_user_role_no_inline_policies, + control.iam_user_access_key_age_90, + control.iam_account_password_policy_min_length_14, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys, + control.iam_user_in_group, + control.iam_user_mfa_enabled, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.iam_user_console_access_mfa_enabled, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.secretsmanager_secret_automatic_rotation_enabled, + control.secretsmanager_secret_rotated_as_scheduled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_3_15" { + title = "AC-3(15) Discretionary And Mandatory Access Control" + description = "a. Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy; and b. Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy" + children = [ + benchmark.nist_800_53_rev_5_ac_3_15_a, + benchmark.nist_800_53_rev_5_ac_3_15_b + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_3_15_a" { + title = "AC-3(15)(a)" + description = "(a) Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy;" + children = [ + control.ec2_instance_uses_imdsv2, + control.iam_group_user_role_no_inline_policies, + control.iam_user_access_key_age_90, + control.iam_account_password_policy_min_length_14, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys, + control.iam_user_in_group, + control.iam_user_mfa_enabled, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.iam_user_console_access_mfa_enabled, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.secretsmanager_secret_automatic_rotation_enabled, + control.secretsmanager_secret_rotated_as_scheduled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_3_15_b" { + title = "AC-3(15)(b)" + description = "(b) Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy." + children = [ + control.ec2_instance_uses_imdsv2, + control.iam_group_user_role_no_inline_policies, + control.iam_user_access_key_age_90, + control.iam_account_password_policy_min_length_14, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys, + control.iam_user_in_group, + control.iam_user_mfa_enabled, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.iam_user_console_access_mfa_enabled, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.secretsmanager_secret_automatic_rotation_enabled, + control.secretsmanager_secret_rotated_as_scheduled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_4" { + title = "Information Flow Enforcement (AC-4)" + description = "Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies]." + children = [ + control.es_domain_node_to_node_encryption_enabled, + control.elb_classic_lb_use_tls_https_listeners, + control.apigateway_rest_api_stage_use_ssl_certificate, + control.elb_application_lb_redirect_http_request_to_https, + control.elb_classic_lb_use_ssl_certificate, + control.redshift_cluster_encryption_in_transit_enabled, + control.s3_bucket_enforces_ssl, + benchmark.nist_800_53_rev_5_ac_4_21, + benchmark.nist_800_53_rev_5_ac_4_22, + benchmark.nist_800_53_rev_5_ac_4_26, + benchmark.nist_800_53_rev_5_ac_4_28 + + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_4_21" { + title = "AC-4(21) Physical Or Logical Separation Of Infomation Flows" + description = "Separate information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information]." + children = [ + control.elb_application_lb_waf_enabled, + control.apigateway_stage_use_waf_web_acl, + control.autoscaling_launch_config_public_ip_disabled, + control.ec2_instance_in_vpc, + control.vpc_route_table_restrict_public_access_to_igw, + control.ebs_snapshot_not_publicly_restorable, + control.dms_replication_instance_not_publicly_accessible, + control.ec2_instance_not_publicly_accessible, + control.es_domain_in_vpc, + control.emr_cluster_master_nodes_no_public_ip, + control.lambda_function_in_vpc, + control.lambda_function_restrict_public_access, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.vpc_security_group_restrict_ingress_tcp_udp_all, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_subnet_auto_assign_public_ip_disabled, + control.vpc_default_security_group_restricts_all_traffic, + control.vpc_security_group_restrict_ingress_common_ports_all, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_4_22" { + title = "AC-4(22) Access Only" + description = "Provide access from a single device to computing platforms, applications, or data residing in multiple different security domains, while preventing information flow between the different security domains." + children = [ + control.es_domain_node_to_node_encryption_enabled, + control.elb_classic_lb_use_tls_https_listeners, + control.elb_application_lb_redirect_http_request_to_https, + control.apigateway_rest_api_stage_use_ssl_certificate, + control.elb_classic_lb_use_ssl_certificate, + control.redshift_cluster_encryption_in_transit_enabled, + control.s3_bucket_enforces_ssl + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_4_26" { + title = "AC-4(26) Audit Filtering Actions" + description = "When transferring information between different security domains, record and audit content filtering actions and results for the information being filtered." + children = [ + control.cloudtrail_multi_region_trail_enabled, + control.wafv2_web_acl_logging_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.apigateway_stage_logging_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.elb_application_classic_lb_logging_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.vpc_flow_logs_enabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_4_28" { + title = "AC-4(28) Linear Filter Pipelines" + description = "When transferring information between different security domains, implement a linear content filter pipeline that is enforced with discretionary and mandatory access controls." + children = [ + control.ec2_instance_uses_imdsv2, + control.iam_group_user_role_no_inline_policies, + control.iam_user_access_key_age_90, + control.iam_account_password_policy_min_length_14, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys, + control.iam_user_in_group, + control.iam_user_mfa_enabled, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.iam_user_console_access_mfa_enabled, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.secretsmanager_secret_automatic_rotation_enabled, + control.secretsmanager_secret_rotated_as_scheduled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_5" { + title = benchmark.nist_800_53_rev_4_ac_5.title + description = benchmark.nist_800_53_rev_4_ac_5.description + children = [ + benchmark.nist_800_53_rev_5_ac_5_b + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_5_b" { + title = "AC-5(b)" + description = "b. Define system access authorizations to support separation of duties." + children = [ + control.ecs_task_definition_user_for_host_mode_check, + control.iam_all_policy_no_service_wild_card, + control.iam_policy_no_star_star, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_6" { + title = "Least Privilege (AC-6)" + description = "Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks." + children = [ + control.ec2_instance_uses_imdsv2, + control.iam_group_user_role_no_inline_policies, + control.ec2_instance_in_vpc, + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_not_publicly_accessible, + control.es_domain_in_vpc, + control.iam_policy_no_star_star, + control.emr_cluster_master_nodes_no_public_ip, + control.iam_root_user_no_access_keys, + control.iam_user_in_group, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.lambda_function_in_vpc, + control.lambda_function_restrict_public_access, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_subnet_auto_assign_public_ip_disabled, + benchmark.nist_800_53_rev_5_ac_6_2, + benchmark.nist_800_53_rev_5_ac_6_3, + benchmark.nist_800_53_rev_5_ac_6_9, + benchmark.nist_800_53_rev_5_ac_6_10 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_6_2" { + title = "AC-6(2)" + description = "Require that users of system accounts (or roles) with access to [Assignment: organization-defined security functions or security-relevant information] use non-privileged accounts or roles, when accessing nonsecurity functions." + children = [ + control.iam_all_policy_no_service_wild_card, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) +} + +benchmark "nist_800_53_rev_5_ac_6_3" { + title = "AC-6(3)" + description = "Authorize network access to [Assignment: organization-defined privileged commands] only for [Assignment: organization-defined compelling operational needs] and document the rationale for such access in the security plan for the system." + children = [ + control.iam_group_user_role_no_inline_policies, + control.iam_policy_no_star_star, + control.iam_user_in_group, + control.iam_user_no_inline_attached_policies + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_6_9" { + title = "AC-6(9)" + description = "Log the execution of privileged functions." + children = [ + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudtrail_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_6_10" { + title = "AC-6(10)" + description = "Prevent non-privileged users from executing privileged functions." + children = [ + control.iam_all_policy_no_service_wild_card, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_7" { + title = "Unsuccessful Logon Attempts (AC-7)" + description = "a. Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment:organization-defined time period]; and b. Automatically [Selection (one or more): lock the account or node for an [Assignment: organization-defined time period]; lock the account or node until released by an administrator; delay next logon prompt per [Assignment: organization-defined delay algorithm]; notify system administrator; take other[Assignment: organization-defined action]] when the maximum number of unsuccessful attempts is exceeded." + children = [ + benchmark.nist_800_53_rev_5_ac_7_4 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_7_4" { + title = "AC-7(4) Use Of Alternate Authentication Factor" + description = "a. Allow the use of [Assignment: organization-defined authentication factors] that are different from the primary authentication factors after the number of organization-defined consecutive invalid logon attempts have been exceeded; and b. Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts through use of the alternative factors by a user during a [Assignment: organization-defined time period]." + children = [ + control.iam_account_password_policy_min_length_14, + control.iam_user_mfa_enabled, + control.iam_user_console_access_mfa_enabled, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + benchmark.nist_800_53_rev_5_ac_7_4_a + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_7_4_a" { + title = "AC-7(4)(a)" + description = "(a) Allow the use of [Assignment: organization-defined authentication factors] that are different from the primary authentication factors after the number of organization-defined consecutive invalid logon attempts have been exceeded;" + children = [ + control.iam_account_password_policy_min_length_14, + control.iam_user_mfa_enabled, + control.iam_user_console_access_mfa_enabled, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_16" { + title = "Security And Privacy Attributes (AC-16)" + description = "a. Provide the means to associate [Assignment: organization-defined types of security and privacy attributes] with [Assignment: organization-defined security and privacy attribute values] for information in storage, in process, and/or in transmission; b. Ensure that the attribute associations are made and retained with the information; c. Establish the following permitted security and privacy attributes from the attributes defined in AC-16a for [Assignment: organization-defined systems]: [Assignment: organization-defined security and privacy attributes];" + children = [ + benchmark.nist_800_53_rev_5_ac_16_b + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_16_b" { + title = "AC-16b" + description = "b. Ensure that the attribute associations are made and retained with the information;" + children = [ + control.cloudwatch_log_group_retention_period_365 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_17" { + title = "Remote Access (AC-17)" + description = "Authorize remote access systems prior to connection. Enforce remote connection requirements to information systems." + children = [ + benchmark.nist_800_53_rev_5_ac_17_b, + benchmark.nist_800_53_rev_5_ac_17_1, + benchmark.nist_800_53_rev_5_ac_17_2, + benchmark.nist_800_53_rev_5_ac_17_4, + benchmark.nist_800_53_rev_5_ac_17_9, + benchmark.nist_800_53_rev_5_ac_17_10 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_17_b" { + title = "AC-17b" + description = "b. Authorize each type of remote access to the system prior to allowing such connections." + children = [ + control.vpc_security_group_restrict_ingress_ssh_all, + control.ec2_instance_in_vpc, + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_not_publicly_accessible, + control.es_domain_in_vpc, + control.emr_cluster_master_nodes_no_public_ip, + control.lambda_function_restrict_public_access, + control.lambda_function_in_vpc, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_subnet_auto_assign_public_ip_disabled, + control.vpc_default_security_group_restricts_all_traffic, + control.vpc_security_group_restrict_ingress_tcp_udp_all, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_17_1" { + title = "AC-17(1) Monitoring And Control" + description = "Employ automated mechanisms to monitor and control remote access methods." + children = [ + control.vpc_security_group_restrict_ingress_ssh_all, + control.ec2_instance_in_vpc, + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_not_publicly_accessible, + control.es_domain_in_vpc, + control.emr_cluster_master_nodes_no_public_ip, + control.lambda_function_in_vpc, + control.lambda_function_restrict_public_access, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_subnet_auto_assign_public_ip_disabled, + control.vpc_default_security_group_restricts_all_traffic, + control.vpc_security_group_restrict_ingress_tcp_udp_all, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_17_2" { + title = "AC-17(2)" + description = "Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions." + children = [ + control.elb_classic_lb_use_tls_https_listeners, + control.elb_application_lb_redirect_http_request_to_https, + control.apigateway_rest_api_stage_use_ssl_certificate, + control.elb_classic_lb_use_ssl_certificate, + control.s3_bucket_enforces_ssl, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_17_4" { + title = "AC-17(4) Privileged Commands And Access" + description = "a. Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: [Assignment: organization-defined needs]; and b. Document the rationale for remote access in the security plan for the system." + children = [ + benchmark.nist_800_53_rev_5_ac_17_4_a + + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_17_4_a" { + title = "AC-17(4)(a)" + description = "(a) Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: [Assignment: organization-defined needs];" + children = [ + control.vpc_security_group_restrict_ingress_ssh_all, + control.ec2_instance_in_vpc, + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_not_publicly_accessible, + control.es_domain_in_vpc, + control.emr_cluster_master_nodes_no_public_ip, + control.lambda_function_restrict_public_access, + control.lambda_function_in_vpc, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_subnet_auto_assign_public_ip_disabled, + control.vpc_default_security_group_restricts_all_traffic, + control.vpc_security_group_restrict_ingress_tcp_udp_all, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_17_9" { + title = "AC-17(9) Disconnect Or Disable Access" + description = "Provide the capability to disconnect or disable remote access to the system within [Assignment: organization-defined time period]." + children = [ + control.vpc_security_group_restrict_ingress_ssh_all, + control.ec2_instance_in_vpc, + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_not_publicly_accessible, + control.es_domain_in_vpc, + control.emr_cluster_master_nodes_no_public_ip, + control.lambda_function_restrict_public_access, + control.lambda_function_in_vpc, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_subnet_auto_assign_public_ip_disabled, + control.vpc_default_security_group_restricts_all_traffic, + control.vpc_security_group_restrict_ingress_tcp_udp_all, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_17_10" { + title = "AC-17(10) Authenticate Remote Commands" + description = "Provide the capability to disconnect or disable remote access to the system within [Assignment: organization-defined time period]." + children = [ + control.vpc_security_group_restrict_ingress_ssh_all, + control.ec2_instance_in_vpc, + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_not_publicly_accessible, + control.es_domain_in_vpc, + control.emr_cluster_master_nodes_no_public_ip, + control.lambda_function_restrict_public_access, + control.lambda_function_in_vpc, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_subnet_auto_assign_public_ip_disabled, + control.vpc_default_security_group_restricts_all_traffic, + control.vpc_security_group_restrict_ingress_tcp_udp_all, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_24" { + title = "Access Control Decisions (AC-24)" + description = "[Selection: Establish procedures; Implement mechanisms] to ensure [Assignment: organization-defined access control decisions] are applied to each access request prior to access enforcement." + children = [ + control.ec2_instance_uses_imdsv2, + control.iam_group_user_role_no_inline_policies, + control.iam_user_access_key_age_90, + control.iam_account_password_policy_min_length_14, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys, + control.iam_user_in_group, + control.iam_user_mfa_enabled, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.iam_user_console_access_mfa_enabled, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.secretsmanager_secret_automatic_rotation_enabled, + control.secretsmanager_secret_rotated_as_scheduled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ac_24_1" { + title = "AC-24(1)" + description = "Transmit [Assignment: organization-defined access authorization information] using [Assignment: organization-defined controls] to [Assignment: organization-defined systems] that enforce access control decisions." + children = [ + control.es_domain_node_to_node_encryption_enabled, + control.elb_classic_lb_use_tls_https_listeners, + control.elb_application_lb_redirect_http_request_to_https, + control.apigateway_rest_api_stage_use_ssl_certificate, + control.elb_classic_lb_use_ssl_certificate, + control.redshift_cluster_encryption_in_transit_enabled, + control.s3_bucket_enforces_ssl, + ] + + tags = local.nist_800_53_rev_5_common_tags +} \ No newline at end of file From 04a2eaa9e58dfa44a80330049fbcf70130269705 Mon Sep 17 00:00:00 2001 From: Khushboo Date: Mon, 23 May 2022 16:24:56 +0530 Subject: [PATCH 02/20] added au file --- nist_800_53_rev_5/au.sp | 761 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 761 insertions(+) create mode 100644 nist_800_53_rev_5/au.sp diff --git a/nist_800_53_rev_5/au.sp b/nist_800_53_rev_5/au.sp new file mode 100644 index 00000000..40f64f3a --- /dev/null +++ b/nist_800_53_rev_5/au.sp @@ -0,0 +1,761 @@ +benchmark "nist_800_53_rev_5_au" { + title = "Audit and Accountability (AU)" + description = "The AU control family consists of security controls related to an organization’s audit capabilities. This includes audit policies and procedures, audit logging, audit report generation, and protection of audit information." + children = [ + benchmark.nist_800_53_rev_5_au_2, + benchmark.nist_800_53_rev_5_au_3, + benchmark.nist_800_53_rev_5_au_4, + benchmark.nist_800_53_rev_5_au_6, + benchmark.nist_800_53_rev_5_au_7, + benchmark.nist_800_53_rev_5_au_8, + benchmark.nist_800_53_rev_5_au_9, + benchmark.nist_800_53_rev_5_au_10, + benchmark.nist_800_53_rev_5_au_11, + benchmark.nist_800_53_rev_5_au_12, + benchmark.nist_800_53_rev_5_au_14 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + + +benchmark "nist_800_53_rev_5_au_2" { + title = "Event Logging (AU-2)" + description = "Automate security audit function with other organizational entities. Enable mutual support of audit of auditable events." + children = [ + benchmark.nist_800_53_rev_5_au_2_b + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_2_b" { + title = "AU-2b" + description = "b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;" + children = [ + control.cloudtrail_multi_region_trail_enabled, + control.rds_db_instance_logging_enabled, + control.wafv2_web_acl_logging_enabled, + control.apigateway_stage_logging_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudtrail_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.elb_application_classic_lb_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.vpc_flow_logs_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_3" { + title = "Content of Audit Records (AU-3)" + description = "The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event." + children = [ + benchmark.nist_800_53_rev_5_au_3_1, + benchmark.nist_800_53_rev_5_au_3_a, + benchmark.nist_800_53_rev_5_au_3_b, + benchmark.nist_800_53_rev_5_au_3_c, + benchmark.nist_800_53_rev_5_au_3_e, + benchmark.nist_800_53_rev_5_au_3_f + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_3_a" { + title = "AU-3(a)" + description = "Ensure that audit records contain information that establishes the following: a. What type of event occurred;" + children = [ + control.cloudtrail_multi_region_trail_enabled, + control.wafv2_web_acl_logging_enabled, + control.apigateway_stage_logging_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudtrail_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.elb_application_classic_lb_logging_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.vpc_flow_logs_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_3_b" { + title = "AU-3(b)" + description = "Ensure that audit records contain information that establishes the following: b. When the event occurred;" + children = [ + control.cloudtrail_multi_region_trail_enabled, + control.wafv2_web_acl_logging_enabled, + control.apigateway_stage_logging_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudtrail_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.elb_application_classic_lb_logging_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.vpc_flow_logs_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_3_c" { + title = "AU-3(c)" + description = "Ensure that audit records contain information that establishes the following: c. Where the event occurred;" + children = [ + control.cloudtrail_multi_region_trail_enabled, + control.wafv2_web_acl_logging_enabled, + control.apigateway_stage_logging_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudtrail_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.elb_application_classic_lb_logging_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.vpc_flow_logs_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_3_d" { + title = "AU-3(d)" + description = "Ensure that audit records contain information that establishes the following: d. Source of the event;" + children = [ + control.cloudtrail_multi_region_trail_enabled, + control.wafv2_web_acl_logging_enabled, + control.apigateway_stage_logging_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudtrail_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.elb_application_classic_lb_logging_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.vpc_flow_logs_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_3_e" { + title = "AU-3(e)" + description = "Ensure that audit records contain information that establishes the following: e. Outcome of the event;" + children = [ + control.cloudtrail_multi_region_trail_enabled, + control.wafv2_web_acl_logging_enabled, + control.apigateway_stage_logging_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudtrail_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.elb_application_classic_lb_logging_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.vpc_flow_logs_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_3_f" { + title = "AU-3(f)" + description = "Ensure that audit records contain information that establishes the following: e. Outcome of the event;" + children = [ + control.cloudtrail_multi_region_trail_enabled, + control.wafv2_web_acl_logging_enabled, + control.apigateway_stage_logging_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudtrail_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.elb_application_classic_lb_logging_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_3_1" { + title = "AU-3(1) Additional Audit Information" + description = "Generate audit records containing the following additional information: [Assignment: organization-defined additional information]." + children = [ + control.cloudtrail_trail_enabled, + control.guardduty_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_4" { + title = "Audit Log Stprage Capacity (AU-4)" + description = "Allocate audit log storage capacity to accommodate [Assignment: organization-defined audit log retention requirements]." + children = [ + benchmark.nist_800_53_rev_5_au_4_1 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_4_1" { + title = "AU-4(1) Transfer To Alternate Storage" + description = "Transfer audit logs [Assignment: organization-defined frequency] to a different system, system component, or media other than the system or system component conducting the logging." + children = [ + control.cloudtrail_trail_integrated_with_logs + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_6" { + title = "Audit Record Review, Analysis And Reporting (AU-6)" + description = "Integrate audit review, analysis, and reporting with processes for investigation and response to suspicious activities." + children = [ + benchmark.nist_800_53_rev_5_au_6_1, + benchmark.nist_800_53_rev_5_au_6_3, + benchmark.nist_800_53_rev_5_au_6_4, + benchmark.nist_800_53_rev_5_au_6_5, + benchmark.nist_800_53_rev_5_au_6_6, + benchmark.nist_800_53_rev_5_au_6_9 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_6_1" { + title = "AU-6(1) Automated Process Integration" + description = "Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated mechanisms]." + children = [ + control.cloudtrail_trail_integrated_with_logs, + control.guardduty_enabled, + control.securityhub_enabled, + control.cloudwatch_alarm_action_enabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_6_3" { + title = "AU-6(3) Correlate Audit Record Repositories" + description = "Analyze and correlate audit records across different repositories to gain organization-wide situational awareness." + children = [ + control.cloudwatch_log_group_retention_period_365, + control.cloudtrail_multi_region_trail_enabled, + control.wafv2_web_acl_logging_enabled, + control.apigateway_stage_logging_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudtrail_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.elb_application_classic_lb_logging_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.vpc_flow_logs_enabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_6_4" { + title = "AU-6(4) Central Review And Analysis" + description = "Provide and implement the capability to centrally review and analyze audit records from multiple components within the system." + children = [ + control.cloudwatch_log_group_retention_period_365, + control.cloudtrail_multi_region_trail_enabled, + control.wafv2_web_acl_logging_enabled, + control.apigateway_stage_logging_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudtrail_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.elb_application_classic_lb_logging_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.vpc_flow_logs_enabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_6_5" { + title = "AU-6(5) Central Review And Analysis" + description = "Integrate analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity." + children = [ + control.cloudtrail_trail_integrated_with_logs, + control.guardduty_enabled, + control.securityhub_enabled, + control.cloudwatch_alarm_action_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_6_6" { + title = "AU-6(6) Correletion With Physical Monitoring" + description = "Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity." + children = [ + control.cloudwatch_log_group_retention_period_365, + control.cloudtrail_multi_region_trail_enabled, + control.wafv2_web_acl_logging_enabled, + control.apigateway_stage_logging_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudtrail_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.elb_application_classic_lb_logging_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.vpc_flow_logs_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_6_9" { + title = "AU-6(9) Correletion With From Nontechnical Sources" + description = "Correlate information from nontechnical sources with audit record information to enhance organization-wide situational awareness." + children = [ + control.cloudwatch_log_group_retention_period_365, + control.cloudtrail_multi_region_trail_enabled, + control.wafv2_web_acl_logging_enabled, + control.apigateway_stage_logging_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudtrail_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.elb_application_classic_lb_logging_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.vpc_flow_logs_enabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + + +benchmark "nist_800_53_rev_5_au_7" { + title = "Audit Record Reduction And Report Generation (AU-7)" + description = "Support for real-time audit review, analysis, and reporting requirements without altering original audit records." + children = [ + benchmark.nist_800_53_rev_5_au_7_1 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_7_1" { + title = "AU-7(1) Automatic Processing" + description = "Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: [Assignment: organization-defined fields within audit records]." + children = [ + control.cloudtrail_trail_integrated_with_logs + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_8" { + title = "Time Stamps (AU-8)" + description = "Use internal system clocks to generate time stamps for audit records." + children = [ + benchmark.nist_800_53_rev_5_au_8_b + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_8_b" { + title = "AU-8(b)" + description = "b. Record time stamps for audit records that meet [Assignment: organization-defined granularity of time measurement] and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp." + children = [ + control.cloudtrail_multi_region_trail_enabled, + control.wafv2_web_acl_logging_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.apigateway_stage_logging_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.elb_application_classic_lb_logging_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.vpc_flow_logs_enabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_9" { + title = "Protection of Audit Information (AU-9)" + description = "Protect audit information & tools from unauthorized access, modification & deletion." + children = [ + benchmark.nist_800_53_rev_5_au_9_2, + benchmark.nist_800_53_rev_5_au_9_3, + benchmark.nist_800_53_rev_5_au_9_7, + benchmark.nist_800_53_rev_5_au_9_a + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_9_a" { + title = "AU-9(a)" + description = "a. Protect audit information and audit logging tools from unauthorized access, modification, and deletion;" + children = [ + control.cloudtrail_trail_validation_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_9_2" { + title = "AU-9(2) Store On Separate Physical Systems Or Components" + description = "Store audit records [Assignment: organization-defined frequency] in a repository that is part of a physically different system or system component than the system or component being audited." + children = [ + control.s3_bucket_cross_region_replication_enabled, + control.s3_bucket_versioning_enabled + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/S3" + }) +} + +benchmark "nist_800_53_rev_5_au_9_3" { + title = "AU-9(3) Cryptographic Protection" + description = "Implement cryptographic mechanisms to protect the integrity of audit information and audit tools." + children = [ + control.dynamodb_table_encrypted_with_kms_cmk, + control.ec2_ebs_default_encryption_enabled, + control.es_domain_node_to_node_encryption_enabled, + control.elb_classic_lb_use_tls_https_listeners, + control.rds_db_snapshot_encrypted_at_rest, + control.s3_bucket_default_encryption_enabled_kms, + control.sagemaker_notebook_instance_encryption_at_rest_enabled, + control.sns_topic_encrypted_at_rest, + control.elb_application_lb_redirect_http_request_to_https, + control.apigateway_stage_cache_encryption_at_rest_enabled, + control.apigateway_rest_api_stage_use_ssl_certificate, + control.cloudtrail_trail_logs_encrypted_with_kms_cmk, + control.log_group_encryption_at_rest_enabled, + control.efs_file_system_encrypt_data_at_rest, + control.es_domain_encryption_at_rest_enabled, + control.elb_classic_lb_use_ssl_certificate, + control.ebs_volume_encryption_at_rest_enabled, + control.rds_db_instance_encryption_at_rest_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.redshift_cluster_kms_enabled, + control.redshift_cluster_encryption_in_transit_enabled, + control.s3_bucket_enforces_ssl, + control.sagemaker_endpoint_configuration_encryption_at_rest_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_9_7" { + title = "AU-9(7) Store On Component With Different Operation Systems" + description = "Store audit information on a component running a different operating system than the system or component being audited." + children = [ + control.cloudtrail_trail_integrated_with_logs + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_10" { + title = "Non-Repudiation (AU-10)" + description = "Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed [Assignment: organization-defined actions to be covered by non-repudiation]." + children = [ + control.cloudwatch_log_group_retention_period_365, + control.es_domain_logs_to_cloudwatch, + control.cloudtrail_multi_region_trail_enabled, + control.rds_db_instance_logging_enabled, + control.wafv2_web_acl_logging_enabled, + control.apigateway_stage_logging_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudtrail_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.elb_application_classic_lb_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_11" { + title = "Audit Record Retention (AU-11)" + description = "Retain audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements." + children = [ + control.cloudwatch_log_group_retention_period_365, + benchmark.nist_800_53_rev_5_au_11_1 + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/CloudWatch" + }) +} + + +benchmark "nist_800_53_rev_5_au_11_1" { + title = "AU-11(1) Long-Term Retrieval Capability" + description = "Employ [Assignment: organization-defined measures] to ensure that long-term audit records generated by the system can be retrieved." + children = [ + control.cloudwatch_log_group_retention_period_365 + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/CloudWatch" + }) +} + +benchmark "nist_800_53_rev_5_au_12" { + title = "Audit Record Generation (AU-12)" + description = "Audit events defined in AU-2. Allow trusted personnel to select which events to audit. Generate audit records for events." + children = [ + benchmark.nist_800_53_rev_5_au_12_a, + benchmark.nist_800_53_rev_5_au_12_c, + benchmark.nist_800_53_rev_5_au_12_1, + benchmark.nist_800_53_rev_5_au_12_2 + + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_12_a" { + title = "AU-12(a)" + description = "a. Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on [Assignment: organization-defined system components];" + children = [ + control.cloudtrail_multi_region_trail_enabled, + control.wafv2_web_acl_logging_enabled, + control.apigateway_stage_logging_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudtrail_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.elb_application_classic_lb_logging_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.vpc_flow_logs_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_12_c" { + title = "AU-12(c)" + description = "c. Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3." + children = [ + control.cloudtrail_multi_region_trail_enabled, + control.wafv2_web_acl_logging_enabled, + control.apigateway_stage_logging_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudtrail_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.elb_application_classic_lb_logging_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.vpc_flow_logs_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_12_1" { + title = "AU-12(1) System-Wide And Time-Correlated Audit Trial" + description = "Compile audit records from [Assignment: organization-defined system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail]." + children = [ + control.cloudwatch_log_group_retention_period_365, + control.cloudtrail_multi_region_trail_enabled, + control.wafv2_web_acl_logging_enabled, + control.apigateway_stage_logging_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudtrail_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.elb_application_classic_lb_logging_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.vpc_flow_logs_enabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_12_2" { + title = "AU-12(2) Standardized Formats" + description = "Produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format." + children = [ + control.cloudwatch_log_group_retention_period_365, + control.cloudtrail_multi_region_trail_enabled, + control.wafv2_web_acl_logging_enabled, + control.apigateway_stage_logging_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudtrail_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.elb_application_classic_lb_logging_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.vpc_flow_logs_enabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_12_3" { + title = "AU-12(3) Changes By Authorized Individuals" + description = "Provide and implement the capability for [Assignment: organization-defined individuals or roles] to change the logging to be performed on [Assignment: organization-defined system components] based on [Assignment: organization-defined selectable event criteria] within [Assignment: organization-defined time thresholds]." + children = [ + control.cloudwatch_log_group_retention_period_365, + control.lambda_function_concurrent_execution_limit_configured, + control.lambda_function_dead_letter_queue_configured, + control.cloudtrail_multi_region_trail_enabled, + control.rds_db_instance_and_cluster_enhanced_monitoring_enabled, + control.rds_db_instance_logging_enabled, + control.securityhub_enabled, + control.wafv2_web_acl_logging_enabled, + control.apigateway_stage_logging_enabled, + control.autoscaling_group_with_lb_use_health_check, + control.elastic_beanstalk_enhanced_health_reporting_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudtrail_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudwatch_alarm_action_enabled, + control.elb_application_classic_lb_logging_enabled, + control.guardduty_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.vpc_flow_logs_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_12_4" { + title = "AU-12(4) Query Parameter Audits Of Personally Identifiable Information" + description = "Provide and implement the capability for auditing the parameters of user query events for data sets containing personally identifiable information." + children = [ + control.cloudtrail_multi_region_trail_enabled, + control.rds_db_instance_logging_enabled, + control.wafv2_web_acl_logging_enabled, + control.apigateway_stage_logging_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudtrail_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.elb_application_classic_lb_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.vpc_flow_logs_enabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_14" { + title = "Session Audit (AU-14)" + description = "Capture, record and log user sessions. Remotely view all content related to a user session that starts at system start-up." + children = [ + benchmark.nist_800_53_rev_5_au_14_a, + benchmark.nist_800_53_rev_5_au_14_b, + benchmark.nist_800_53_rev_5_au_14_3, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_14_a" { + title = "AU-14(a)" + description = "a. Provide and implement the capability for [Assignment: organization-defined users or roles] to [Selection (one or more): record; view; hear; log] the content of a user session under [Assignment: organization-defined circumstances];" + children = [ + control.cloudwatch_log_group_retention_period_365, + control.lambda_function_concurrent_execution_limit_configured, + control.lambda_function_dead_letter_queue_configured, + control.cloudtrail_multi_region_trail_enabled, + control.rds_db_instance_and_cluster_enhanced_monitoring_enabled, + control.rds_db_instance_logging_enabled, + control.securityhub_enabled, + control.wafv2_web_acl_logging_enabled, + control.apigateway_stage_logging_enabled, + control.autoscaling_group_with_lb_use_health_check, + control.elastic_beanstalk_enhanced_health_reporting_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudtrail_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudwatch_alarm_action_enabled, + control.elb_application_classic_lb_logging_enabled, + control.guardduty_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.vpc_flow_logs_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_14_b" { + title = "AU-14(b)" + description = "b. Develop, integrate, and use session auditing activities in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." + children = [ + control.cloudwatch_log_group_retention_period_365, + control.lambda_function_concurrent_execution_limit_configured, + control.lambda_function_dead_letter_queue_configured, + control.cloudtrail_multi_region_trail_enabled, + control.rds_db_instance_and_cluster_enhanced_monitoring_enabled, + control.rds_db_instance_logging_enabled, + control.securityhub_enabled, + control.wafv2_web_acl_logging_enabled, + control.apigateway_stage_logging_enabled, + control.autoscaling_group_with_lb_use_health_check, + control.elastic_beanstalk_enhanced_health_reporting_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudtrail_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudwatch_alarm_action_enabled, + control.elb_application_classic_lb_logging_enabled, + control.guardduty_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.vpc_flow_logs_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_14_3" { + title = "AU-14(3) Remote Viewing And Listening" + description = "Provide and implement the capability for authorized users to remotely view and hear content related to an established user session in real time." + children = [ + control.cloudtrail_multi_region_trail_enabled, + control.rds_db_instance_logging_enabled, + control.wafv2_web_acl_logging_enabled, + control.apigateway_stage_logging_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudtrail_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.elb_application_classic_lb_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.vpc_flow_logs_enabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_au_16" { + title = "Cross-Organizational Audit Logging (AU-16)" + description = "Employ [Assignment: organization-defined methods] for coordinating [Assignment: organization-defined audit information] among external organizations when audit information is transmitted across organizational boundaries." + children = [ + control.cloudtrail_trail_integrated_with_logs + ] + + tags = local.nist_800_53_rev_5_common_tags +} \ No newline at end of file From ead211312053c652d47b50c089e1fdf38a3d3d2a Mon Sep 17 00:00:00 2001 From: Khushboo Date: Tue, 24 May 2022 20:47:29 +0530 Subject: [PATCH 03/20] added new controls and benchmarks --- nist_800_53_rev_5/ca.sp | 142 +++++ nist_800_53_rev_5/cm.sp | 519 +++++++++++++++++ nist_800_53_rev_5/sc.sp | 1168 +++++++++++++++++++++++++++++++++++++++ nist_800_53_rev_5/si.sp | 720 ++++++++++++++++++++++++ 4 files changed, 2549 insertions(+) create mode 100644 nist_800_53_rev_5/ca.sp create mode 100644 nist_800_53_rev_5/cm.sp create mode 100644 nist_800_53_rev_5/sc.sp create mode 100644 nist_800_53_rev_5/si.sp diff --git a/nist_800_53_rev_5/ca.sp b/nist_800_53_rev_5/ca.sp new file mode 100644 index 00000000..0a72dfb7 --- /dev/null +++ b/nist_800_53_rev_5/ca.sp @@ -0,0 +1,142 @@ +benchmark "nist_800_53_rev_5_ca" { + title = "Assessment, Authorization, And Monitoring (CA)" + description = "The Security Assessment and Authorization control family includes controls that supplement the execution of security assessments, authorizations, continuous monitoring, plan of actions and milestones, and system interconnections." + children = [ + benchmark.nist_800_53_rev_5_ca_2, + benchmark.nist_800_53_rev_5_ca_7, + benchmark.nist_800_53_rev_5_ca_9 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ca_2" { + title = "Control Assessments (CA-2)" + description = "Assess security controls to determine effectiveness and produce security reports, documentation, and graphs." + children = [ + benchmark.nist_800_53_rev_5_ca_2_2, + benchmark.nist_800_53_rev_5_ca_2_d + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ca_2_2" { + title = "CA-2(2) Specialized Assessments" + description = "Include as part of control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious user testing; insider threat assessment; performance and load testing; data leakage or data loss assessment; [Assignment: organization-defined other forms of assessment]]." + children = [ + control.lambda_function_dead_letter_queue_configured, + control.rds_db_instance_and_cluster_enhanced_monitoring_enabled, + control.autoscaling_group_with_lb_use_health_check, + control.elastic_beanstalk_enhanced_health_reporting_enabled, + control.cloudwatch_alarm_action_enabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ca_2_d" { + title = "CA-2(d)" + description = "d. Assess the controls in the system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;" + children = [ + control.guardduty_enabled, + control.securityhub_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ca_7" { + title = "Continuous Monitoring (CA-7)" + description = "Continuously monitor configuration management processes. Determine security impact, environment and operational risks." + children = [ + control.lambda_function_concurrent_execution_limit_configured, + control.lambda_function_dead_letter_queue_configured, + control.rds_db_instance_and_cluster_enhanced_monitoring_enabled, + control.securityhub_enabled, + control.autoscaling_group_with_lb_use_health_check, + control.elastic_beanstalk_enhanced_health_reporting_enabled, + control.cloudwatch_alarm_action_enabled, + control.guardduty_enabled, + benchmark.nist_800_53_rev_5_ca_7_4, + benchmark.nist_800_53_rev_5_ca_7_b + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ca_7_b" { + title = "CA-7(b)" + description = "Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness;" + children = [ + control.cloudwatch_log_group_retention_period_365, + control.lambda_function_concurrent_execution_limit_configured, + control.lambda_function_dead_letter_queue_configured, + control.cloudtrail_multi_region_trail_enabled, + control.rds_db_instance_and_cluster_enhanced_monitoring_enabled, + control.rds_db_instance_logging_enabled, + control.securityhub_enabled, + control.wafv2_web_acl_logging_enabled, + control.apigateway_stage_logging_enabled, + control.autoscaling_group_with_lb_use_health_check, + control.elastic_beanstalk_enhanced_health_reporting_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudtrail_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudwatch_alarm_action_enabled, + control.elb_application_classic_lb_logging_enabled, + control.guardduty_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.vpc_flow_logs_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ca_7_4" { + title = "CA-7(4) Risk Monitoring" + description = "Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following: a. Effectiveness monitoring; b. Compliance monitoring; and c. Change monitoring." + children = [ + benchmark.nist_800_53_rev_5_ca_7_4_c + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ca_7_4_c" { + title = "CA-7(4)(c)" + description = "Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following: (c) Change monitoring." + children = [ + control.elb_application_lb_deletion_protection_enabled, + control.rds_db_instance_deletion_protection_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ca_9" { + title = "Internal System Connections (CA-9)" + description = "a. Authorize internal connections of [Assignment: organization-defined system components or classes of components] to the system; b. Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated; c. Terminate internal system connections after [Assignment: organization-defined conditions]; and d. Review [Assignment: organization-defined frequency] the continued need for each internal connection." + children = [ + benchmark.nist_800_53_rev_5_ca_9_b + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ca_9_b" { + title = "CA-9(b)" + description = "b. Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated;" + children = [ + control.es_domain_node_to_node_encryption_enabled, + control.elb_classic_lb_use_tls_https_listeners, + control.elb_application_lb_redirect_http_request_to_https, + control.apigateway_rest_api_stage_use_ssl_certificate, + control.elb_classic_lb_use_ssl_certificate, + control.redshift_cluster_encryption_in_transit_enabled, + control.s3_bucket_enforces_ssl + ] + + tags = local.nist_800_53_rev_5_common_tags +} \ No newline at end of file diff --git a/nist_800_53_rev_5/cm.sp b/nist_800_53_rev_5/cm.sp new file mode 100644 index 00000000..f9ab5926 --- /dev/null +++ b/nist_800_53_rev_5/cm.sp @@ -0,0 +1,519 @@ +benchmark "nist_800_53_rev_5_cm" { + title = "Configuration Management (CM)" + description = "CM controls are specific to an organization’s configuration management policies. This includes a baseline configuration to operate as the basis for future builds or changes to information systems. Additionally, this includes information system component inventories and a security impact analysis control." + children = [ + benchmark.nist_800_53_rev_5_cm_2, + benchmark.nist_800_53_rev_5_cm_3, + benchmark.nist_800_53_rev_5_cm_5, + benchmark.nist_800_53_rev_5_cm_6, + benchmark.nist_800_53_rev_5_cm_7, + benchmark.nist_800_53_rev_5_cm_8 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_2" { + title = "Baseline Configuration (CM-2)" + description = "The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system." + children = [ + benchmark.nist_800_53_rev_5_cm_2_a, + benchmark.nist_800_53_rev_5_cm_2_b, + benchmark.nist_800_53_rev_5_cm_2_2 + + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_2_a" { + title = "CM-2(a)" + description = "a. Develop, document, and maintain under configuration control, a current baseline configuration of the system;" + children = [ + control.ec2_instance_ssm_managed, + control.ssm_managed_instance_compliance_association_compliant, + control.ec2_stopped_instance_30_days, + control.ebs_volume_unsued, + control.elb_application_lb_deletion_protection_enabled, + control.vpc_security_group_restrict_ingress_common_ports_all, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_2_b" { + title = "CM-2(b)" + description = "b. Review and update the baseline configuration of the system: 1. [Assignment: organization-defined frequency]; 2. When required due to [Assignment: organization-defined circumstances]; and 3. When system components are installed or upgraded." + children = [ + control.ec2_instance_ssm_managed, + control.ssm_managed_instance_compliance_association_compliant, + control.ec2_stopped_instance_30_days, + control.ebs_volume_unsued, + control.redshift_cluster_maintenance_settings_check, + benchmark.nist_800_53_rev_5_cm_2_b_1, + benchmark.nist_800_53_rev_5_cm_2_b_2, + benchmark.nist_800_53_rev_5_cm_2_b_3 + + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_2_b_1" { + title = "CM-2(b)(1)" + description = "b. Review and update the baseline configuration of the system: 1. [Assignment: organization-defined frequency];" + children = [ + control.ec2_instance_ssm_managed, + control.ssm_managed_instance_compliance_association_compliant, + control.ec2_stopped_instance_30_days, + control.ebs_volume_unsued, + control.redshift_cluster_maintenance_settings_check, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_2_b_2" { + title = "CM-2(b)(2)" + description = "b. Review and update the baseline configuration of the system: 2. When required due to [Assignment: organization-defined circumstances];" + children = [ + control.ec2_instance_ssm_managed, + control.ssm_managed_instance_compliance_association_compliant, + control.ec2_stopped_instance_30_days, + control.ebs_volume_unsued, + control.redshift_cluster_maintenance_settings_check, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_2_b_3" { + title = "CM-2(b)(3)" + description = "b. Review and update the baseline configuration of the system: 3 When system components are installed or upgraded." + children = [ + control.ec2_instance_ssm_managed, + control.ssm_managed_instance_compliance_association_compliant, + control.ec2_stopped_instance_30_days, + control.ebs_volume_unsued, + control.redshift_cluster_maintenance_settings_check, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_2_2" { + title = "CM-2(2) Automation Support For AccuracyY And Currency" + description = "Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using [Assignment: organization-defined automated mechanisms]." + children = [ + control.ec2_instance_ssm_managed, + control.ssm_managed_instance_compliance_association_compliant, + control.ec2_stopped_instance_30_days, + control.ebs_volume_unsued, + control.elb_application_lb_deletion_protection_enabled, + control.vpc_security_group_restrict_ingress_common_ports_all + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_3" { + title = "Configuration Change Control (CM-3)" + description = "The organization authorizes, documents, and controls changes to the information system." + children = [ + benchmark.nist_800_53_rev_5_cm_3_a, + benchmark.nist_800_53_rev_5_cm_3_3 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_3_a" { + title = "CM-3(a)" + description = "a. Determine and document the types of changes to the system that are configuration-controlled;" + children = [ + control.elb_application_lb_deletion_protection_enabled, + control.rds_db_instance_deletion_protection_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_3_3" { + title = "CM-3(3) Automated Change Implementation" + description = "Implement changes to the current system baseline and deploy the updated baseline across the installed base using [Assignment: organization-defined automated mechanisms]." + children = [ + control.ec2_instance_ssm_managed, + control.ssm_managed_instance_compliance_association_compliant, + control.ec2_stopped_instance_30_days, + control.ebs_volume_unsued, + control.redshift_cluster_maintenance_settings_check, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_5" { + title = "Access Restrictions For Change (CM-5)" + description = "Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system." + children = [ + benchmark.nist_800_53_rev_5_cm_5_1 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_5_1" { + title = "CM-5(1) Automated Access Enforcement And Audit Records" + description = "a. Enforce access restrictions using [Assignment: organization-defined automated mechanisms]; and b. Automatically generate audit records of the enforcement actions." + children = [ + benchmark.nist_800_53_rev_5_cm_5_1_a, + benchmark.nist_800_53_rev_5_cm_5_1_b + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_5_1_a" { + title = "CM-5(1)(a)" + description = "(a) Enforce access restrictions using [Assignment: organization-defined automated mechanisms];" + children = [ + control.ec2_instance_uses_imdsv2, + control.ecs_task_definition_user_for_host_mode_check, + control.iam_group_user_role_no_inline_policies, + control.iam_all_policy_no_service_wild_card, + control.iam_user_access_key_age_90, + control.iam_account_password_policy_min_length_14, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys, + control.iam_user_in_group, + control.iam_user_mfa_enabled, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.iam_user_console_access_mfa_enabled, + control.iam_root_user_hardware_mfa_enabled, + control.secretsmanager_secret_automatic_rotation_enabled, + control.secretsmanager_secret_rotated_as_scheduled + + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_5_1_b" { + title = "CM-5(1)(b)" + description = "(b) Automatically generate audit records of the enforcement actions." + children = [ + control.cloudtrail_multi_region_trail_enabled, + control.wafv2_web_acl_logging_enabled, + control.apigateway_stage_logging_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudtrail_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.elb_application_classic_lb_logging_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.vpc_flow_logs_enabled + + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_6" { + title = "Configuration Settings (CM-6)" + description = "The organization: (i) establishes mandatory configuration settings for information technology products employed within the information system; (ii) configures the security settings of information technology products to the most restrictive mode consistent with operational requirements; (iii) documents the configuration settings; and (iv) enforces the configuration settings in all components of the information system" + children = [ + control.ec2_instance_ssm_managed, + control.ssm_managed_instance_compliance_association_compliant + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_6_a" { + title = "CM-6(a)" + description = "a. Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: organization-defined common secure configurations];" + children = [ + control.autoscaling_launch_config_public_ip_disabled, + control.kms_cmk_rotation_enabled, + control.ec2_ebs_default_encryption_enabled, + control.iam_group_user_role_no_inline_policies, + control.cloudtrail_multi_region_trail_enabled, + control.iam_user_access_key_age_90, + control.autoscaling_group_with_lb_use_health_check, + control.cloudtrail_trail_integrated_with_logs, + control.cloudtrail_trail_logs_encrypted_with_kms_cmk, + control.cloudtrail_trail_validation_enabled, + control.cloudtrail_s3_data_events_enabled, + control.ebs_attached_volume_encryption_enabled, + control.iam_account_password_policy_min_length_14, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys, + control.iam_user_in_group, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.iam_user_console_access_mfa_enabled, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.s3_public_access_block_account, + control.s3_bucket_logging_enabled, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_bucket_cross_region_replication_enabled, + control.s3_bucket_default_encryption_enabled, + control.s3_bucket_enforces_ssl, + control.vpc_default_security_group_restricts_all_traffic, + control.vpc_flow_logs_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_7" { + title = "Least Functionality (CM-7)" + description = "The organization configures the information system to provide only essential capabilities and prohibits or restricts the use of the functions, ports, protocols, and/or services." + children = [ + benchmark.nist_800_53_rev_5_cm_7_b + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_7_b" { + title = "CM-7(b)" + description = "b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services]." + children = [ + control.vpc_security_group_restrict_ingress_common_ports_all, + control.vpc_route_table_restrict_public_access_to_igw + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_8" { + title = "System Component Inventory (CM-8)" + description = "The organization develops and documents an inventory of information system components that accurately reflects the current information system, includes all components within the authorization boundary of the information system, is at the level of granularity deemed necessary for tracking and reporting and reviews and updates the information system component inventory." + children = [ + benchmark.nist_800_53_rev_5_cm_8_1, + benchmark.nist_800_53_rev_5_cm_8_2, + benchmark.nist_800_53_rev_5_cm_8_3, + benchmark.nist_800_53_rev_5_cm_8_6, + benchmark.nist_800_53_rev_5_cm_8_a, + benchmark.nist_800_53_rev_5_cm_8_b + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_8_a" { + title = "CM-8(a)" + description = "a. Develop and document an inventory of system components that: 1. Accurately reflects the system; 2. Includes all components within the system; 3. Does not include duplicate accounting of components or components assigned to any other system; 4. Is at the level of granularity deemed necessary for tracking and reporting; and 5. Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability];" + children = [ + control.ec2_instance_ssm_managed, + control.ssm_managed_instance_compliance_association_compliant, + benchmark.nist_800_53_rev_5_cm_8_a_1, + benchmark.nist_800_53_rev_5_cm_8_a_2, + benchmark.nist_800_53_rev_5_cm_8_a_3, + benchmark.nist_800_53_rev_5_cm_8_a_4, + benchmark.nist_800_53_rev_5_cm_8_a_5 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_8_a_1" { + title = "CM-8(a)(1)" + description = "a. Develop and document an inventory of system components that: 1. Accurately reflects the system;" + children = [ + control.ec2_instance_ssm_managed, + control.ssm_managed_instance_compliance_association_compliant, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_8_a_2" { + title = "CM-8(a)(2)" + description = "a. Develop and document an inventory of system components that: 2. Includes all components within the system;" + children = [ + control.ec2_instance_ssm_managed, + control.ssm_managed_instance_compliance_association_compliant, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_8_a_3" { + title = "CM-8(a)(3)" + description = "a. Develop and document an inventory of system components that: 3. Does not include duplicate accounting of components or components assigned to any other system;" + children = [ + control.ec2_instance_ssm_managed, + control.ssm_managed_instance_compliance_association_compliant, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_8_a_4" { + title = "CM-8(a)(4)" + description = "a. Develop and document an inventory of system components that: 4. Is at the level of granularity deemed necessary for tracking and reporting;" + children = [ + control.ec2_instance_ssm_managed, + control.ssm_managed_instance_compliance_association_compliant, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_8_a_5" { + title = "CM-8(a)(5)" + description = "a. Develop and document an inventory of system components that: 5. Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability];" + children = [ + control.ec2_instance_ssm_managed, + control.ssm_managed_instance_compliance_association_compliant, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_8_b" { + title = "CM-8(b)" + description = "b. Review and update the system component inventory [Assignment: organization-defined frequency]." + children = [ + control.ec2_instance_ssm_managed, + control.ssm_managed_instance_compliance_association_compliant + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_8_1" { + title = "CM-8(1) Updates During Installation And Removals" + description = "Update the inventory of system components as part of component installations, removals, and system updates." + children = [ + control.ec2_instance_ssm_managed, + control.ssm_managed_instance_compliance_association_compliant + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_8_2" { + title = "CM-8(2) Automated Maintenance" + description = "Maintain the currency, completeness, accuracy, and availability of the inventory of system components using [Assignment: organization-defined automated mechanisms]." + children = [ + control.ec2_instance_ssm_managed + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_8_3" { + title = "CM-8(3) Automated Unauthorized Component Detection" + description = "The organization: Employs automated mechanisms [Assignment: organization-defined frequency] to detect the presence of unauthorized hardware, software, and firmware components within the information system; and Takes the following actions when unauthorized components are detected: [Selection (one or more): disables network access by such components; isolates the components; notifies [Assignment: organization-defined personnel or roles]]." + children = [ + benchmark.nist_800_53_rev_5_cm_8_3_a + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_8_3_a" { + title = "CM-8(3)(a)" + description = "(a) Detect the presence of unauthorized hardware, software, and firmware components within the system using [Assignment: organization-defined automated mechanisms] [Assignment: organization-defined frequency];" + children = [ + control.ec2_instance_ssm_managed, + control.ssm_managed_instance_compliance_association_compliant, + control.ssm_managed_instance_compliance_patch_compliant, + control.guardduty_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_8_6" { + title = "CM-8(6) Assessed Configurations And Approved Deviations" + description = "Include assessed component configurations and any approved deviations to current deployed configurations in the system component inventory." + children = [ + control.ec2_instance_ssm_managed, + control.ssm_managed_instance_compliance_association_compliant, + control.ec2_stopped_instance_30_days, + control.ebs_volume_unsued, + control.elb_application_lb_deletion_protection_enabled, + control.vpc_security_group_restrict_ingress_common_ports_all + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_9" { + title = "Configuration Management Plan (CM-9)" + description = "Develop, document, and implement a configuration management plan for the system that: a. Addresses roles, responsibilities, and configuration management processes and procedures; b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items; c. Defines the configuration items for the system and places the configuration items under configuration management; d. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; and e. Protects the configuration management plan from unauthorized disclosure and modification." + children = [ + benchmark.nist_800_53_rev_5_cm_9_b + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_9_b" { + title = "CM-9(b)" + description = "Develop, document, and implement a configuration management plan for the system that: b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;" + children = [ + control.kms_cmk_rotation_enabled, + control.ec2_ebs_default_encryption_enabled, + control.iam_group_user_role_no_inline_policies, + control.vpc_security_group_restrict_ingress_ssh_all, + control.cloudtrail_multi_region_trail_enabled, + control.iam_user_access_key_age_90, + control.autoscaling_group_with_lb_use_health_check, + control.cloudtrail_trail_integrated_with_logs, + control.cloudtrail_trail_logs_encrypted_with_kms_cmk, + control.cloudtrail_trail_validation_enabled, + control.cloudtrail_s3_data_events_enabled, + control.ebs_attached_volume_encryption_enabled, + control.iam_account_password_policy_min_length_14, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys, + control.iam_user_in_group, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.iam_user_console_access_mfa_enabled, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.s3_public_access_block_account, + control.s3_bucket_logging_enabled, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_bucket_cross_region_replication_enabled, + control.s3_bucket_default_encryption_enabled, + control.s3_bucket_enforces_ssl, + control.vpc_default_security_group_restricts_all_traffic, + control.vpc_flow_logs_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_12" { + title = "Information Location (CM-12)" + description = "a. Identify and document the location of [Assignment: organization-defined information] and the specific system components on which the information is processed and stored; b. Identify and document the users who have access to the system and system components where the information is processed and stored; and c. Document changes to the location (i.e., system or system components) where the information is processed and stored." + children = [ + benchmark.nist_800_53_rev_5_cm_12_b + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cm_12_b" { + title = "CM-12(b)" + description = "b. Identify and document the users who have access to the system and system components where the information is processed and stored;" + children = [ + control.iam_account_password_policy_min_length_14 + ] + + tags = local.nist_800_53_rev_5_common_tags +} \ No newline at end of file diff --git a/nist_800_53_rev_5/sc.sp b/nist_800_53_rev_5/sc.sp new file mode 100644 index 00000000..5ab0df1f --- /dev/null +++ b/nist_800_53_rev_5/sc.sp @@ -0,0 +1,1168 @@ +benchmark "nist_800_53_rev_5_sc" { + title = "System and Communications Protection (SC)" + description = "The SC control family is responsible for systems and communications protection procedures. This includes boundary protection, protection of information at rest, collaborative computing devices, cryptographic protection, denial of service protection, and many others." + children = [ + benchmark.nist_800_53_rev_5_sc_5, + benchmark.nist_800_53_rev_5_sc_7, + benchmark.nist_800_53_rev_5_sc_8, + benchmark.nist_800_53_rev_5_sc_12, + benchmark.nist_800_53_rev_5_sc_13, + benchmark.nist_800_53_rev_5_sc_16, + benchmark.nist_800_53_rev_5_sc_22, + benchmark.nist_800_53_rev_5_sc_23, + benchmark.nist_800_53_rev_5_sc_25, + benchmark.nist_800_53_rev_5_sc_28, + benchmark.nist_800_53_rev_5_sc_36, + benchmark.nist_800_53_rev_5_sc_43 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_5" { + title = "Denial Of Service Protection (SC-5)" + description = "The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or reference to source for such information] by employing [Assignment: organization-defined security safeguards]." + children = [ + benchmark.nist_800_53_rev_5_sc_5_a, + benchmark.nist_800_53_rev_5_sc_5_b, + benchmark.nist_800_53_rev_5_sc_5_1, + benchmark.nist_800_53_rev_5_sc_5_2, + benchmark.nist_800_53_rev_5_sc_5_3 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_5_a" { + title = "SC-5(a)" + description = "a. [Selection: Protect against; Limit] the effects of the following types of denial-of-service events: [Assignment: organization-defined types of denial-of-service events];" + children = [ + control.guardduty_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_5_b" { + title = "SC-5(b)" + description = "b. Employ the following controls to achieve the denial-of-service objective: [Assignment: organization-defined controls by type of denial-of-service event]." + children = [ + control.guardduty_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_5_1" { + title = "SC-5(1) Restrict Ability TO Attack Other Systems" + description = "Restrict the ability of individuals to launch the following denial-of-service attacks against other systems: [Assignment: organization-defined denial-of-service attacks]." + children = [ + control.guardduty_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_5_2" { + title = "SC-5(2) Capacity, Bandwidth, And Redundancy" + description = "Manage capacity, bandwidth, or other redundancy to limit the effects of information flooding denial-of-service attacks." + children = [ + control.dynamodb_table_in_backup_plan, + control.ebs_volume_in_backup_plan, + control.efs_file_system_in_backup_plan, + control.elb_classic_lb_cross_zone_load_balancing_enabled, + control.rds_db_instance_deletion_protection_enabled, + control.rds_db_instance_protected_by_backup_plan, + control.redshift_cluster_automatic_snapshots_min_7_days, + control.rds_db_instance_backup_enabled, + control.dynamodb_table_auto_scaling_enabled, + control.dynamodb_table_point_in_time_recovery_enabled, + control.ec2_instance_ebs_optimized, + control.elasticache_redis_cluster_automatic_backup_retention_15_days, + control.elb_application_lb_deletion_protection_enabled, + control.rds_db_instance_multiple_az_enabled, + control.redshift_cluster_maintenance_settings_check, + control.s3_bucket_cross_region_replication_enabled, + control.s3_bucket_versioning_enabled, + control.vpc_vpn_tunnel_up + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_5_3" { + title = "SC-5(3) Detection And Monitoring" + description = "a. Employ the following monitoring tools to detect indicators of denial-of-service attacks against, or launched from, the system: [Assignment: organization-defined monitoring tools]; and b. Monitor the following system resources to determine if sufficient resources exist to prevent effective denial-of-service attacks: [Assignment: organization-defined system resources]." + children = [ + benchmark.nist_800_53_rev_5_sc_5_3_a, + benchmark.nist_800_53_rev_5_sc_5_3_b + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_5_3_a" { + title = "SC-5(3)(a)" + description = "(a) Employ the following monitoring tools to detect indicators of denial-of-service attacks against, or launched from, the system: [Assignment: organization-defined monitoring tools];" + children = [ + control.guardduty_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_5_3_b" { + title = "SC-5(3)(b)" + description = "(b) Monitor the following system resources to determine if sufficient resources exist to prevent effective denial-of-service attacks: [Assignment: organization-defined system resources]." + children = [ + control.guardduty_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_6" { + title = "Resource Availability (SC-6)" + description = "Protect the availability of resources by allocating [Assignment: organization-defined resources] by [Selection (one or more): priority; quota; [Assignment: organization-defined controls]]." + children = [ + control.elb_classic_lb_cross_zone_load_balancing_enabled, + control.lambda_function_concurrent_execution_limit_configured, + control.autoscaling_group_with_lb_use_health_check, + control.elastic_beanstalk_enhanced_health_reporting_enabled, + control.dynamodb_table_auto_scaling_enabled, + control.rds_db_instance_multiple_az_enabled, + control.vpc_vpn_tunnel_up + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_7" { + title = "Boundary Protection (SC-7)" + description = "The information system: a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture." + children = [ + benchmark.nist_800_53_rev_5_sc_7_a, + benchmark.nist_800_53_rev_5_sc_7_b, + benchmark.nist_800_53_rev_5_sc_7_c, + benchmark.nist_800_53_rev_5_sc_7_2, + benchmark.nist_800_53_rev_5_sc_7_3, + benchmark.nist_800_53_rev_5_sc_7_5, + benchmark.nist_800_53_rev_5_sc_7_7, + benchmark.nist_800_53_rev_5_sc_7_9, + benchmark.nist_800_53_rev_5_sc_7_11, + benchmark.nist_800_53_rev_5_sc_7_12, + benchmark.nist_800_53_rev_5_sc_7_16, + benchmark.nist_800_53_rev_5_sc_7_20, + benchmark.nist_800_53_rev_5_sc_7_21, + benchmark.nist_800_53_rev_5_sc_7_24, + benchmark.nist_800_53_rev_5_sc_7_25, + benchmark.nist_800_53_rev_5_sc_7_26, + benchmark.nist_800_53_rev_5_sc_7_27, + benchmark.nist_800_53_rev_5_sc_7_28 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_7_a" { + title = "SC-7(a)" + description = "a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system;" + children = [ + control.vpc_security_group_restrict_ingress_ssh_all, + control.ec2_instance_in_vpc, + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_not_publicly_accessible, + control.es_domain_in_vpc, + control.emr_cluster_master_nodes_no_public_ip, + control.lambda_function_restrict_public_access, + control.lambda_function_in_vpc, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_subnet_auto_assign_public_ip_disabled, + control.vpc_default_security_group_restricts_all_traffic, + control.vpc_security_group_restrict_ingress_tcp_udp_all, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_7_b" { + title = "SC-7(b)" + description = "b. Implement subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks;" + children = [ + control.ec2_instance_in_vpc, + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_not_publicly_accessible, + control.es_domain_in_vpc, + control.emr_cluster_master_nodes_no_public_ip, + control.lambda_function_restrict_public_access, + control.lambda_function_in_vpc, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_subnet_auto_assign_public_ip_disabled, + + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_7_c" { + title = "SC-7(c)" + description = "c. Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture." + children = [ + control.vpc_security_group_restrict_ingress_ssh_all, + control.ec2_instance_in_vpc, + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_not_publicly_accessible, + control.es_domain_in_vpc, + control.emr_cluster_master_nodes_no_public_ip, + control.lambda_function_restrict_public_access, + control.lambda_function_in_vpc, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_subnet_auto_assign_public_ip_disabled, + control.vpc_default_security_group_restricts_all_traffic, + control.vpc_security_group_restrict_ingress_tcp_udp_all, + + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_7_2" { + title = "SC-7(2) Public Access" + description = "Provide the capability to dynamically isolate [Assignment: organization-defined system components] from other system components." + children = [ + control.ec2_instance_in_vpc, + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_not_publicly_accessible, + control.es_domain_in_vpc, + control.emr_cluster_master_nodes_no_public_ip, + control.lambda_function_restrict_public_access, + control.lambda_function_in_vpc, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_subnet_auto_assign_public_ip_disabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_7_3" { + title = "SC-7(3) Access Points" + description = "Limit the number of external network connections to the system." + children = [ + control.autoscaling_launch_config_public_ip_disabled, + control.ec2_instance_in_vpc, + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_not_publicly_accessible, + control.es_domain_in_vpc, + control.emr_cluster_master_nodes_no_public_ip, + control.lambda_function_restrict_public_access, + control.lambda_function_in_vpc, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_subnet_auto_assign_public_ip_disabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_7_4" { + title = "SC-7(4) External Telecommunications Services" + description = "a. Implement a managed interface for each external telecommunication service; b. Establish a traffic flow policy for each managed interface; c. Protect the confidentiality and integrity of the information being transmitted across each interface; d. Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need; e. Review exceptions to the traffic flow policy [Assignment: organization-defined frequency] and remove exceptions that are no longer supported by an explicit mission or business need; f. Prevent unauthorized exchange of control plane traffic with external networks; g. Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and h. Filter unauthorized control plane traffic from external networks." + children = [ + benchmark.nist_800_53_rev_5_sc_7_4_b, + benchmark.nist_800_53_rev_5_sc_7_4_g + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_7_4_b" { + title = "SC-7(4)(b)" + description = "(b) Establish a traffic flow policy for each managed interface;" + children = [ + control.es_domain_node_to_node_encryption_enabled, + control.elb_classic_lb_use_tls_https_listeners, + control.elb_application_lb_redirect_http_request_to_https, + control.apigateway_rest_api_stage_use_ssl_certificate, + control.elb_classic_lb_use_ssl_certificate, + control.redshift_cluster_encryption_in_transit_enabled, + control.s3_bucket_enforces_ssl + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_7_4_g" { + title = "SC-7(4)(g)" + description = "(g) Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks;" + children = [ + control.es_domain_node_to_node_encryption_enabled, + control.elb_classic_lb_use_tls_https_listeners, + control.elb_application_lb_redirect_http_request_to_https, + control.apigateway_rest_api_stage_use_ssl_certificate, + control.elb_classic_lb_use_ssl_certificate, + control.redshift_cluster_encryption_in_transit_enabled, + control.s3_bucket_enforces_ssl + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_7_5" { + title = "SC-7(5) Deny By Default — Allow By Exception" + description = "Deny network communications traffic by default and allow network communications traffic by exception [Selection (one or more): at managed interfaces; for [Assignment: organization-defined systems]]." + children = [ + control.vpc_security_group_restrict_ingress_common_ports_all, + control.vpc_default_security_group_restricts_all_traffic, + control.vpc_security_group_restrict_ingress_tcp_udp_all, + control.apigateway_rest_api_stage_use_ssl_certificate, + control.elb_classic_lb_use_ssl_certificate, + control.redshift_cluster_encryption_in_transit_enabled, + control.s3_bucket_enforces_ssl + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_7_7" { + title = "SC-7(7) Split Tunneling For Remote Devices" + description = "Prevent split tunneling for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using [Assignment: organization-defined safeguards]." + children = [ + control.vpc_security_group_restrict_ingress_ssh_all, + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_not_publicly_accessible, + control.emr_cluster_master_nodes_no_public_ip, + control.lambda_function_restrict_public_access, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_subnet_auto_assign_public_ip_disabled, + control.vpc_default_security_group_restricts_all_traffic, + control.vpc_security_group_restrict_ingress_tcp_udp_all, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_7_9" { + title = "SC-7(9) Restrict Threatening Outgoing Communications Traffic" + description = "a. Detect and deny outgoing communications traffic posing a threat to external systems; and b. Audit the identity of internal users associated with denied communications." + children = [ + benchmark.nist_800_53_rev_5_sc_7_9_a, + benchmark.nist_800_53_rev_5_sc_7_9_b + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_7_9_a" { + title = "SC-7(9)(a)" + description = "(a) Detect and deny outgoing communications traffic posing a threat to external systems;" + children = [ + control.ec2_instance_in_vpc, + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_not_publicly_accessible, + control.es_domain_in_vpc, + control.emr_cluster_master_nodes_no_public_ip, + control.lambda_function_restrict_public_access, + control.lambda_function_in_vpc, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_subnet_auto_assign_public_ip_disabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_7_9_b" { + title = "SC-7(9)(b)" + description = "(b) Audit the identity of internal users associated with denied communications." + children = [ + control.cloudtrail_multi_region_trail_enabled, + control.wafv2_web_acl_logging_enabled, + control.apigateway_stage_logging_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudtrail_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.elb_application_classic_lb_logging_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_7_11" { + title = "SC-7(11) Restrict Incoming communications Traffic" + description = "Only allow incoming communications from [Assignment: organization-defined authorized sources] to be routed to [Assignment: organization-defined authorized destinations]." + children = [ + control.vpc_security_group_restrict_ingress_ssh_all, + control.ec2_instance_in_vpc, + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_not_publicly_accessible, + control.es_domain_in_vpc, + control.emr_cluster_master_nodes_no_public_ip, + control.lambda_function_restrict_public_access, + control.lambda_function_in_vpc, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_subnet_auto_assign_public_ip_disabled, + control.vpc_default_security_group_restricts_all_traffic, + control.vpc_security_group_restrict_ingress_tcp_udp_all, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_7_12" { + title = "SC-7(12) Host-Based Protection" + description = "Implement [Assignment: organization-defined host-based boundary protection mechanisms] at [Assignment: organization-defined system components]." + children = [ + control.vpc_security_group_restrict_ingress_ssh_all, + control.ec2_instance_in_vpc, + control.acm_certificate_expires_30_days, + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_not_publicly_accessible, + control.es_domain_in_vpc, + control.emr_cluster_master_nodes_no_public_ip, + control.lambda_function_restrict_public_access, + control.lambda_function_in_vpc, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_subnet_auto_assign_public_ip_disabled, + control.vpc_default_security_group_restricts_all_traffic, + control.vpc_security_group_restrict_ingress_tcp_udp_all, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_7_16" { + title = "SC-7(16) Prevent Discovery Of System Components" + description = "Prevent the discovery of specific system components that represent a managed interface." + children = [ + control.vpc_security_group_restrict_ingress_ssh_all, + control.ec2_instance_in_vpc, + control.acm_certificate_expires_30_days, + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_not_publicly_accessible, + control.es_domain_in_vpc, + control.emr_cluster_master_nodes_no_public_ip, + control.lambda_function_restrict_public_access, + control.lambda_function_in_vpc, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_subnet_auto_assign_public_ip_disabled, + control.vpc_default_security_group_restricts_all_traffic, + control.vpc_security_group_restrict_ingress_tcp_udp_all, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_7_20" { + title = "SC-7(20) Prevent Discovery Of System Components" + description = "Prevent the discovery of specific system components that represent a managed interface." + children = [ + control.ec2_instance_in_vpc, + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_not_publicly_accessible, + control.es_domain_in_vpc, + control.emr_cluster_master_nodes_no_public_ip, + control.lambda_function_restrict_public_access, + control.lambda_function_in_vpc, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_subnet_auto_assign_public_ip_disabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_7_21" { + title = "SC-7(21) Isolation Of System Components" + description = "Employ boundary protection mechanisms to isolate [Assignment: organization-defined system components] supporting [Assignment: organization-defined missions and/or business functions]." + children = [ + control.vpc_security_group_restrict_ingress_ssh_all, + control.ec2_instance_in_vpc, + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_not_publicly_accessible, + control.es_domain_in_vpc, + control.emr_cluster_master_nodes_no_public_ip, + control.lambda_function_in_vpc, + control.lambda_function_restrict_public_access, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_subnet_auto_assign_public_ip_disabled, + control.vpc_default_security_group_restricts_all_traffic, + control.vpc_security_group_restrict_ingress_tcp_udp_all, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_7_24" { + title = "SC-7(24) Personally Identifiable Information" + description = "For systems that process personally identifiable information: a. Apply the following processing rules to data elements of personally identifiable information: [Assignment: organization-defined processing rules];b. Monitor for permitted processing at the external interfaces to the system and at key internal boundaries within the system; c. Document each processing exception; and d. Review and remove exceptions that are no longer supported." + children = [ + benchmark.nist_800_53_rev_5_sc_7_24_b + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_7_24_b" { + title = "SC-7(24)(b)" + description = "For systems that process personally identifiable information: (b) Monitor for permitted processing at the external interfaces to the system and at key internal boundaries within the system;" + children = [ + control.vpc_security_group_restrict_ingress_ssh_all, + control.ec2_instance_in_vpc, + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_not_publicly_accessible, + control.es_domain_in_vpc, + control.emr_cluster_master_nodes_no_public_ip, + control.lambda_function_in_vpc, + control.lambda_function_restrict_public_access, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_subnet_auto_assign_public_ip_disabled, + control.vpc_default_security_group_restricts_all_traffic, + control.vpc_security_group_restrict_ingress_tcp_udp_all, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_7_25" { + title = "SC-7(25) Unclassified National Security System Connections" + description = "Prohibit the direct connection of [Assignment: organization-defined unclassified national security system] to an external network without the use of [Assignment: organization-defined boundary protection device]." + children = [ + control.vpc_security_group_restrict_ingress_ssh_all, + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_not_publicly_accessible, + control.emr_cluster_master_nodes_no_public_ip, + control.lambda_function_restrict_public_access, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_subnet_auto_assign_public_ip_disabled, + control.vpc_default_security_group_restricts_all_traffic, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_7_26" { + title = "SC-7(26) Classified National Security System Connections" + description = "Prohibit the direct connection of a classified national security system to an external network without the use of [Assignment: organization-defined boundary protection device]." + children = [ + control.vpc_security_group_restrict_ingress_ssh_all, + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_not_publicly_accessible, + control.emr_cluster_master_nodes_no_public_ip, + control.lambda_function_restrict_public_access, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_subnet_auto_assign_public_ip_disabled, + control.vpc_default_security_group_restricts_all_traffic, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_7_27" { + title = "SC-7(27) Unclassified Non-National Security System Connections" + description = "Prohibit the direct connection of [Assignment: organization-defined unclassified non-national security system] to an external network without the use of [Assignment: organization-defined boundary protection device]." + children = [ + control.vpc_security_group_restrict_ingress_ssh_all, + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_not_publicly_accessible, + control.emr_cluster_master_nodes_no_public_ip, + control.lambda_function_restrict_public_access, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_subnet_auto_assign_public_ip_disabled, + control.vpc_default_security_group_restricts_all_traffic, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_7_28" { + title = "SC-7(28) Connections To Public Networks" + description = "Prohibit the direct connection of [Assignment: organization-defined system] to a public network." + children = [ + control.vpc_security_group_restrict_ingress_ssh_all, + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_not_publicly_accessible, + control.emr_cluster_master_nodes_no_public_ip, + control.lambda_function_restrict_public_access, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_subnet_auto_assign_public_ip_disabled, + control.vpc_default_security_group_restricts_all_traffic, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_8" { + title = "Transmission Confidentiality And Integrity (SC-8)" + description = "Protect the [Selection (one or more): confidentiality; integrity] of transmitted information." + children = [ + benchmark.nist_800_53_rev_5_sc_8_1, + benchmark.nist_800_53_rev_5_sc_8_2, + benchmark.nist_800_53_rev_5_sc_8_3,benchmark.nist_800_53_rev_5_sc_8_4, + benchmark.nist_800_53_rev_5_sc_8_5, + control.es_domain_node_to_node_encryption_enabled, + control.elb_classic_lb_use_tls_https_listeners, + control.elb_application_lb_redirect_http_request_to_https, + control.apigateway_rest_api_stage_use_ssl_certificate, + control.elb_classic_lb_use_ssl_certificate, + control.redshift_cluster_encryption_in_transit_enabled, + control.s3_bucket_enforces_ssl + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_8_1" { + title = "SC-8(1) Cryptographic Protection" + description = "Implement cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission." + children = [ + control.es_domain_node_to_node_encryption_enabled, + control.elb_application_network_lb_use_ssl_certificate, + control.elb_classic_lb_use_tls_https_listeners, + control.elb_application_lb_redirect_http_request_to_https, + control.apigateway_rest_api_stage_use_ssl_certificate, + control.elb_classic_lb_use_ssl_certificate, + control.redshift_cluster_encryption_in_transit_enabled, + control.s3_bucket_enforces_ssl + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_8_2" { + title = "SC-8(2) Pre- And Post-Transmission Handling" + description = "Maintain the [Selection (one or more): confidentiality; integrity] of information during preparation for transmission and during reception." + children = [ + control.es_domain_node_to_node_encryption_enabled, + control.elb_classic_lb_use_tls_https_listeners, + control.elb_application_lb_redirect_http_request_to_https, + control.apigateway_rest_api_stage_use_ssl_certificate, + control.elb_classic_lb_use_ssl_certificate, + control.redshift_cluster_encryption_in_transit_enabled, + control.s3_bucket_enforces_ssl + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_8_3" { + title = "SC-8(3) Cryptographic Protection For Message Externals" + description = "Implement cryptographic mechanisms to protect message externals unless otherwise protected by [Assignment: organization-defined alternative physical controls]." + children = [ + control.dynamodb_table_encrypted_with_kms_cmk, + control.ec2_ebs_default_encryption_enabled, + control.es_domain_node_to_node_encryption_enabled, + control.elb_classic_lb_use_tls_https_listeners, + control.rds_db_snapshot_encrypted_at_rest, + control.s3_bucket_default_encryption_enabled_kms, + control.sagemaker_notebook_instance_encryption_at_rest_enabled, + control.sns_topic_encrypted_at_rest, + control.elb_application_lb_redirect_http_request_to_https, + control.apigateway_stage_cache_encryption_at_rest_enabled, + control.apigateway_rest_api_stage_use_ssl_certificate, + control.cloudtrail_trail_logs_encrypted_with_kms_cmk, + control.log_group_encryption_at_rest_enabled, + control.efs_file_system_encrypt_data_at_rest, + control.es_domain_encryption_at_rest_enabled, + control.elb_classic_lb_use_ssl_certificate, + control.ebs_attached_volume_encryption_enabled, + control.rds_db_instance_encryption_at_rest_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.redshift_cluster_kms_enabled, + control.redshift_cluster_encryption_in_transit_enabled, + control.s3_bucket_enforces_ssl, + control.s3_bucket_default_encryption_enabled, + control.sagemaker_endpoint_configuration_encryption_at_rest_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_8_4" { + title = "SC-8(4) Conceal Or Ramdomize Communications" + description = "Implement cryptographic mechanisms to conceal or randomize communication patterns unless otherwise protected by [Assignment: organization-defined alternative physical controls]." + children = [ + control.dynamodb_table_encrypted_with_kms_cmk, + control.ec2_ebs_default_encryption_enabled, + control.es_domain_node_to_node_encryption_enabled, + control.elb_classic_lb_use_tls_https_listeners, + control.rds_db_snapshot_encrypted_at_rest, + control.s3_bucket_default_encryption_enabled_kms, + control.sagemaker_notebook_instance_encryption_at_rest_enabled, + control.sns_topic_encrypted_at_rest, + control.elb_application_lb_redirect_http_request_to_https, + control.apigateway_stage_cache_encryption_at_rest_enabled, + control.apigateway_rest_api_stage_use_ssl_certificate, + control.cloudtrail_trail_logs_encrypted_with_kms_cmk, + control.log_group_encryption_at_rest_enabled, + control.efs_file_system_encrypt_data_at_rest, + control.es_domain_encryption_at_rest_enabled, + control.elb_classic_lb_use_ssl_certificate, + control.ebs_attached_volume_encryption_enabled, + control.rds_db_instance_encryption_at_rest_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.redshift_cluster_kms_enabled, + control.redshift_cluster_encryption_in_transit_enabled, + control.s3_bucket_default_encryption_enabled, + control.s3_bucket_enforces_ssl, + control.sagemaker_endpoint_configuration_encryption_at_rest_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_8_5" { + title = "SC-8(5) Protected Distribution System" + description = "Implement [Assignment: organization-defined protected distribution system] to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission." + children = [ + control.es_domain_node_to_node_encryption_enabled, + control.elb_classic_lb_use_tls_https_listeners, + control.elb_application_lb_redirect_http_request_to_https, + control.apigateway_rest_api_stage_use_ssl_certificate, + control.elb_classic_lb_use_ssl_certificate, + control.redshift_cluster_encryption_in_transit_enabled, + control.s3_bucket_enforces_ssl + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_12" { + title = "Cryptographic Key Establishment And Management (SC-12)" + description = "Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]." + children = [ + control.kms_cmk_rotation_enabled, + control.kms_key_not_pending_deletion, + benchmark.nist_800_53_rev_5_sc_12_2, + benchmark.nist_800_53_rev_5_sc_12_6 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_12_2" { + title = "SC-12(2) Symmetric Keys" + description = "Produce, control, and distribute symmetric cryptographic keys using [Selection: NIST FIPS-validated; NSA-approved] key management technology and processes." + children = [ + control.kms_cmk_rotation_enabled, + control.kms_key_not_pending_deletion + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_12_6" { + title = "SC-12(6) Physical Control Of Keys" + description = "Maintain physical control of cryptographic keys when stored information is encrypted by external service providers." + children = [ + control.kms_cmk_rotation_enabled, + control.kms_key_not_pending_deletion + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_13" { + title = "Cryptographic Protection (SC-13)" + description = "a. Determine the [Assignment: organization-defined cryptographic uses]; and b. Implement the following types of cryptography required for each specified cryptographic use: [Assignment: organization-defined types of cryptography for each specified cryptographic use]." + children = [ + benchmark.nist_800_53_rev_5_sc_13_a + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_13_a" { + title = "SC-13(a)" + description = "a. Determine the [Assignment: organization-defined cryptographic uses];" + children = [ + control.dynamodb_table_encrypted_with_kms_cmk, + control.ec2_ebs_default_encryption_enabled, + control.es_domain_node_to_node_encryption_enabled, + control.elb_classic_lb_use_tls_https_listeners, + control.rds_db_snapshot_encrypted_at_rest, + control.s3_bucket_default_encryption_enabled_kms, + control.sagemaker_notebook_instance_encryption_at_rest_enabled, + control.sns_topic_encrypted_at_rest, + control.elb_application_lb_redirect_http_request_to_https, + control.apigateway_stage_cache_encryption_at_rest_enabled, + control.apigateway_rest_api_stage_use_ssl_certificate, + control.cloudtrail_trail_logs_encrypted_with_kms_cmk, + control.log_group_encryption_at_rest_enabled, + control.efs_file_system_encrypt_data_at_rest, + control.es_domain_encryption_at_rest_enabled, + control.elb_classic_lb_use_ssl_certificate, + control.ebs_attached_volume_encryption_enabled, + control.rds_db_instance_encryption_at_rest_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.redshift_cluster_kms_enabled, + control.redshift_cluster_encryption_in_transit_enabled, + control.s3_bucket_enforces_ssl, + control.s3_bucket_default_encryption_enabled, + control.sagemaker_endpoint_configuration_encryption_at_rest_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_16" { + title = "Transmission Of Security And Privacy Attributes (SC-16)" + description = "Associate [Assignment: organization-defined security and privacy attributes] with information exchanged between systems and between system components." + children = [ + benchmark.nist_800_53_rev_5_sc_16_1 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_16_1" { + title = "SC-16(1) Integrity Verification" + description = "Verify the integrity of transmitted security and privacy attributes." + children = [ + control.cloudtrail_trail_validation_enabled, + control.s3_bucket_default_encryption_enabled, + control.s3_bucket_enforces_ssl, + control.s3_bucket_versioning_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_22" { + title = "Architecture And Provisioning For Name/Address Resolution Service (SC-22)" + description = "Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation." + children = [ + control.elb_classic_lb_cross_zone_load_balancing_enabled, + control.rds_db_instance_deletion_protection_enabled, + control.dynamodb_table_auto_scaling_enabled, + control.elb_application_lb_deletion_protection_enabled, + control.rds_db_instance_multiple_az_enabled, + control.vpc_vpn_tunnel_up + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_23" { + title = "Session Authenticity (SC-23)" + description = "Protect the authenticity of communications sessions." + children = [ + control.es_domain_node_to_node_encryption_enabled, + control.elb_classic_lb_use_tls_https_listeners, + control.elb_application_lb_redirect_http_request_to_https, + control.apigateway_rest_api_stage_use_ssl_certificate, + control.elb_classic_lb_use_ssl_certificate, + control.redshift_cluster_encryption_in_transit_enabled, + control.s3_bucket_enforces_ssl, + benchmark.nist_800_53_rev_5_sc_23_3, + benchmark.nist_800_53_rev_5_sc_23_5 + + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_23_3" { + title = "SC-23(3) Unique System-Generated Session Identifiers" + description = "Generate a unique session identifier for each session with [Assignment: organization-defined randomness requirements] and recognize only session identifiers that are system-generated." + children = [ + control.ec2_instance_uses_imdsv2, + control.iam_group_user_role_no_inline_policies, + control.iam_user_access_key_age_90, + control.iam_account_password_policy_min_length_14, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys, + control.iam_user_in_group, + control.iam_user_mfa_enabled, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.iam_user_console_access_mfa_enabled, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.secretsmanager_secret_automatic_rotation_enabled, + control.secretsmanager_secret_rotated_as_scheduled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_23_5" { + title = "SC-23(5) Allowed Certificate Authorities" + description = "Only allow the use of [Assignment: organization-defined certificate authorities] for verification of the establishment of protected sessions." + children = [ + control.elb_classic_lb_use_ssl_certificate, + control.elb_application_network_lb_use_ssl_certificate + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_25" { + title = "Thin Nodes (SC-25)" + description = "Employ minimal functionality and information storage on the following system components: [Assignment: organization-defined system components]." + children = [ + control.ec2_instance_in_vpc, + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_not_publicly_accessible, + control.es_domain_in_vpc, + control.emr_cluster_master_nodes_no_public_ip, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys, + control.iam_user_no_inline_attached_policies, + control.lambda_function_restrict_public_access, + control.lambda_function_in_vpc, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_subnet_auto_assign_public_ip_disabled, + + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_28" { + title = "Protection Of Information At Rest (SC-28)" + description = "Protect the [Selection (one or more): confidentiality; integrity] of the following information at rest: [Assignment: organization-defined information at rest]." + children = [ + benchmark.nist_800_53_rev_5_sc_28_1, + benchmark.nist_800_53_rev_5_sc_28_2 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_28_1" { + title = "SC-28(1) Cryptographic Protection" + description = "Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on [Assignment: organization-defined system components or media]: [Assignment: organization-defined information]." + children = [ + control.dynamodb_table_encrypted_with_kms_cmk, + control.ec2_ebs_default_encryption_enabled, + control.rds_db_snapshot_encrypted_at_rest, + control.s3_bucket_default_encryption_enabled_kms, + control.sagemaker_notebook_instance_encryption_at_rest_enabled, + control.sns_topic_encrypted_at_rest, + control.apigateway_stage_cache_encryption_at_rest_enabled, + control.cloudtrail_trail_logs_encrypted_with_kms_cmk, + control.log_group_encryption_at_rest_enabled, + control.efs_file_system_encrypt_data_at_rest, + control.es_domain_encryption_at_rest_enabled, + control.ebs_attached_volume_encryption_enabled, + control.rds_db_instance_encryption_at_rest_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.redshift_cluster_kms_enabled, + control.s3_bucket_default_encryption_enabled, + control.sagemaker_endpoint_configuration_encryption_at_rest_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_28_2" { + title = "SC-28(2) Offline Storage" + description = "Remove the following information from online storage and store offline in a secure location: [Assignment: organization-defined information]." + children = [ + control.cloudwatch_log_group_retention_period_365 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_36" { + title = "Distributed Processing And Storage (SC-36)" + description = "Distribute the following processing and storage components across multiple [Selection: physical locations; logical domains]: [Assignment: organization-defined processing and storage components]." + children = [ + control.elb_classic_lb_cross_zone_load_balancing_enabled, + control.dynamodb_table_auto_scaling_enabled, + control.rds_db_instance_multiple_az_enabled, + control.vpc_vpn_tunnel_up, + benchmark.nist_800_53_rev_5_sc_36_1_a + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_36_1_a" { + title = "SC-36(1)(a)" + description = "(a) Employ polling techniques to identify potential faults, errors, or compromises to the following processing and storage components: [Assignment: organization-defined distributed processing and storage components];" + children = [ + control.lambda_function_dead_letter_queue_configured, + control.rds_db_instance_and_cluster_enhanced_monitoring_enabled, + control.autoscaling_group_with_lb_use_health_check, + control.elastic_beanstalk_enhanced_health_reporting_enabled, + control.cloudwatch_alarm_action_enabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_43" { + title = "Usage Restrictions (SC-43)" + description = "a. Establish usage restrictions and implementation guidelines for the following system components: [Assignment: organization-defined system components]; and b. Authorize, monitor, and control the use of such components within the system." + children = [ + benchmark.nist_800_53_rev_5_sc_43_b + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_43_b" { + title = "SC-43(b)" + description = "b. Authorize, monitor, and control the use of such components within the system." + children = [ + control.guardduty_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} \ No newline at end of file diff --git a/nist_800_53_rev_5/si.sp b/nist_800_53_rev_5/si.sp new file mode 100644 index 00000000..65ca7eed --- /dev/null +++ b/nist_800_53_rev_5/si.sp @@ -0,0 +1,720 @@ +benchmark "nist_800_53_rev_5_si" { + title = "System and Information integrity (SI)" + description = "The SI control family correlates to controls that protect system and information integrity. These include flaw remediation, malicious code protection, information system monitoring, security alerts, software and firmware integrity, and spam protection." + children = [ + benchmark.nist_800_53_rev_5_si_1, + benchmark.nist_800_53_rev_5_si_2, + benchmark.nist_800_53_rev_5_si_3, + benchmark.nist_800_53_rev_5_si_4, + benchmark.nist_800_53_rev_5_si_7, + benchmark.nist_800_53_rev_5_si_10, + benchmark.nist_800_53_rev_5_si_12, + benchmark.nist_800_53_rev_5_si_13, + benchmark.nist_800_53_rev_5_si_19 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_1" { + title = "Policy And Procedures (SI-1)" + description = "a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] system and information integrity policy that: a). Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b). Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and c. Review and update the current system and information integrity: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]." + children = [ + benchmark.nist_800_53_rev_5_si_1_a_2, + benchmark.nist_800_53_rev_5_si_1_c_2, + benchmark.nist_800_53_rev_5_si_1_1_c + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_1_a_2" { + title = "SI-1(a)(2)" + description = "a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 2. Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls;." + children = [ + control.es_domain_node_to_node_encryption_enabled, + control.elb_classic_lb_use_tls_https_listeners, + control.elb_application_lb_redirect_http_request_to_https, + control.apigateway_rest_api_stage_use_ssl_certificate, + control.cloudtrail_trail_validation_enabled, + control.elb_classic_lb_use_ssl_certificate, + control.redshift_cluster_encryption_in_transit_enabled, + control.s3_bucket_enforces_ssl, + control.s3_bucket_versioning_enabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_1_c_2" { + title = "SI-1(c)(2)" + description = "c. Review and update the current system and information integrity: 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]." + children = [ + control.es_domain_node_to_node_encryption_enabled, + control.elb_classic_lb_use_tls_https_listeners, + control.elb_application_lb_redirect_http_request_to_https, + control.apigateway_rest_api_stage_use_ssl_certificate, + control.cloudtrail_trail_validation_enabled, + control.elb_classic_lb_use_ssl_certificate, + control.redshift_cluster_encryption_in_transit_enabled, + control.s3_bucket_enforces_ssl, + control.s3_bucket_versioning_enabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_1_1_c" { + title = "SI-1(1)(c)" + description = "c(c) Audit the use of the manual override capability." + children = [ + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudtrail_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_2" { + title = "Flaw Remediation (SI-2)" + description = "The organization: a.Identifies, reports, and corrects information system flaws; b.Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation; c.Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and d.Incorporates flaw remediation into the organizational configuration management process." + children = [ + benchmark.nist_800_53_rev_5_si_2_a, + benchmark.nist_800_53_rev_5_si_2_c, + benchmark.nist_800_53_rev_5_si_2_2, + benchmark.nist_800_53_rev_5_si_2_5 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_2_a" { + title = "SI-2(a)" + description = "a. Identify, report, and correct system flaws;" + children = [ + control.lambda_function_dead_letter_queue_configured, + control.rds_db_instance_and_cluster_enhanced_monitoring_enabled, + control.autoscaling_group_with_lb_use_health_check, + control.elastic_beanstalk_enhanced_health_reporting_enabled, + control.cloudwatch_alarm_action_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_2_c" { + title = "SI-2(c)" + description = "c. Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates;" + children = [ + control.ssm_managed_instance_compliance_patch_compliant, + control.elastic_beanstalk_enhanced_health_reporting_enabled, + control.redshift_cluster_maintenance_settings_check, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_2_d" { + title = "SI-2(d)" + description = "d. Incorporate flaw remediation into the organizational configuration management process." + children = [ + control.ssm_managed_instance_compliance_patch_compliant, + control.elastic_beanstalk_enhanced_health_reporting_enabled, + control.redshift_cluster_maintenance_settings_check, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_2_2" { + title = "SI-2(2) Automated Flaw RemediationN Status" + description = "Determine if system components have applicable security-relevant software and firmware updates installed using [Assignment: organization-defined automated mechanisms] [Assignment: organization-defined frequency]." + children = [ + control.ssm_managed_instance_compliance_patch_compliant, + control.elastic_beanstalk_enhanced_health_reporting_enabled, + control.redshift_cluster_maintenance_settings_check, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_2_5" { + title = "SI-2(5) Automatic Software And Firmware Updated" + description = "Install [Assignment: organization-defined security-relevant software and firmware updates] automatically to [Assignment: organization-defined system components]." + children = [ + control.ssm_managed_instance_compliance_patch_compliant, + control.elastic_beanstalk_enhanced_health_reporting_enabled, + control.redshift_cluster_maintenance_settings_check, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_3" { + title = "Malicious Code Protection (SI-3)" + description = "a. Implement [Selection (one or more): signature based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code; b. Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures; c. Configure malicious code protection mechanisms to: 1. Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more): endpoint; network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and 2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization-defined personnel or roles] in response to malicious code detection; and d. Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system." + children = [ + benchmark.nist_800_53_rev_5_si_3_c_2, + benchmark.nist_800_53_rev_5_si_3_8 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_3_c_2" { + title = "SI-3(c)(2)" + description = "c. Configure malicious code protection mechanisms to: 2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization-defined personnel or roles] in response to malicious code detection;" + children = [ + control.ec2_instance_ssm_managed, + control.ssm_managed_instance_compliance_association_compliant, + control.ssm_managed_instance_compliance_patch_compliant, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_3_8" { + title = "SI-3(8)" + description = "c. Configure malicious code protection mechanisms to: 2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization-defined personnel or roles] in response to malicious code detection;" + children = [ + benchmark.nist_800_53_rev_5_si_3_8_a, + benchmark.nist_800_53_rev_5_si_3_8_b + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_3_8_a" { + title = "SI-3(8)(a)" + description = "(a) Detect the following unauthorized operating system commands through the kernel application programming interface on [Assignment: organization-defined system hardware components]: [Assignment: organization-defined unauthorized operating system commands];" + children = [ + control.guardduty_enabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_3_8_b" { + title = "SI-3(8)(b)" + description = "(b) [Selection (one or more): issue a warning; audit the command execution; prevent the execution of the command]." + children = [ + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudtrail_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_4" { + title = "System Monitoring (SI-4)" + description = "The organization: a.Monitors the information system to detect: 1. Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and 2.Unauthorized local, network, and remote connections; b. Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods]; c. Deploys monitoring devices: 1. Strategically within the information system to collect organization-determined essential information; and 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization; d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion; e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and g. Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]." + children = [ + benchmark.nist_800_53_rev_5_si_4_a, + benchmark.nist_800_53_rev_5_si_4_b, + benchmark.nist_800_53_rev_5_si_4_c, + benchmark.nist_800_53_rev_5_si_4_d, + benchmark.nist_800_53_rev_5_si_4_1, + benchmark.nist_800_53_rev_5_si_4_2, + benchmark.nist_800_53_rev_5_si_4_3, + benchmark.nist_800_53_rev_5_si_4_4, + benchmark.nist_800_53_rev_5_si_4_10, + benchmark.nist_800_53_rev_5_si_4_12, + benchmark.nist_800_53_rev_5_si_4_13, + benchmark.nist_800_53_rev_5_si_4_14, + benchmark.nist_800_53_rev_5_si_4_17, + benchmark.nist_800_53_rev_5_si_4_20, + benchmark.nist_800_53_rev_5_si_4_23, + benchmark.nist_800_53_rev_5_si_4_25 + + + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_4_a" { + title = "SI-4(a)" + description = "a. Monitor the system to detect: 1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections;" + children = [ + control.guardduty_enabled, + benchmark.nist_800_53_rev_5_si_4_a_1, + benchmark.nist_800_53_rev_5_si_4_a_2 + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) +} + +benchmark "nist_800_53_rev_5_si_4_a_1" { + title = "SI-4(a)(1)" + description = "a. Monitor the system to detect: 1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections;" + children = [ + control.guardduty_enabled, + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) +} + +benchmark "nist_800_53_rev_5_si_4_a_2" { + title = "SI-4(a)(2)" + description = "a. Monitor the system to detect: 2. Unauthorized local, network, and remote connections;" + children = [ + control.guardduty_enabled, + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) +} + +benchmark "nist_800_53_rev_5_si_4_b" { + title = "SI-4(b)" + description = "b. Identify unauthorized use of the system through the following techniques and methods: [Assignment: organization-defined techniques and methods];" + children = [ + control.guardduty_enabled, + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) +} + +benchmark "nist_800_53_rev_5_si_4_c" { + title = "SI-4(c)" + description = "c. Invoke internal monitoring capabilities or deploy monitoring devices: 1. Strategically within the system to collect organization-determined essential information; and 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization;" + children = [ + control.guardduty_enabled, + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) +} + +benchmark "nist_800_53_rev_5_si_4_d" { + title = "SI-4(d)" + description = "d. Analyze detected events and anomalies;" + children = [ + control.cloudtrail_trail_validation_enabled, + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) +} + +benchmark "nist_800_53_rev_5_si_4_1" { + title = "SI-4(1) System-Wide Intrusion Detection System" + description = "Connect and configure individual intrusion detection tools into a system-wide intrusion detection system." + children = [ + control.guardduty_enabled + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) +} + +benchmark "nist_800_53_rev_5_si_4_2" { + title = "SI-4(2) Automated Tools For Real-Time Analysis" + description = "Implement the following additional monitoring of privileged users: [Assignment: organization-defined additional monitoring]. Employ automated tools and mechanisms to support near real-time analysis of events." + children = [ + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudtrail_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.guardduty_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_4_3" { + title = "SI-4(3) Automated Tools And Mechanism Integration" + description = "Employ automated tools and mechanisms to integrate intrusion detection tools and mechanisms into access control and flow control mechanisms." + children = [ + control.guardduty_enabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_4_4" { + title = "SI-4(4) Inbound and Outbound Communications Traffic" + description = "The information system monitors inbound and outbound communications traffic continuously for unusual or unauthorized activities or conditions." + children = [ + benchmark.nist_800_53_rev_5_si_4_4_a, + benchmark.nist_800_53_rev_5_si_4_4_b + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_4_4_a" { + title = "SI-4(4)(a)" + description = "(a) Determine criteria for unusual or unauthorized activities or conditions for inbound and outbound communications traffic;" + children = [ + control.guardduty_enabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_4_4_b" { + title = "SI-4(4)(b)" + description = "(b) Monitor inbound and outbound communications traffic [Assignment: organization-defined frequency] for [Assignment: organization-defined unusual or unauthorized activities or conditions]." + children = [ + control.guardduty_enabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_4_10" { + title = "SI-4(10) Visibility Of Encrypted Communications" + description = "Make provisions so that [Assignment: organization-defined encrypted communications traffic] is visible to [Assignment: organization-defined system monitoring tools and mechanisms]." + children = [ + control.guardduty_enabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_4_12" { + title = "SI-4(12) Automated Organization-Generated Alerts" + description = "Alert [Assignment: organization-defined personnel or roles] using [Assignment: organization-defined automated mechanisms] when the following indications of inappropriate or unusual activities with security or privacy implications occur: [Assignment: organization-defined activities that trigger alerts]." + children = [ + control.cloudwatch_alarm_action_enabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_4_13" { + title = "SI-4(13) Analyze Traffic And Event Patterns" + description = "a. Analyze communications traffic and event patterns for the system; b. Develop profiles representing common traffic and event patterns; and c. Use the traffic and event profiles in tuning system-monitoring devices." + children = [ + benchmark.nist_800_53_rev_5_si_4_13_a, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_4_13_a" { + title = "SI-4(13)(a)" + description = "(a) Analyze communications traffic and event patterns for the system;" + children = [ + control.guardduty_enabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_4_14" { + title = "SI-4(14) Wireless Intrusion Detection" + description = "Employ a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises or breaches to the system." + children = [ + control.guardduty_enabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_4_17" { + title = "SI-4(17) Integrated Situational Awareness" + description = "Correlate information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness." + children = [ + control.cloudwatch_log_group_retention_period_365, + control.cloudtrail_multi_region_trail_enabled, + control.wafv2_web_acl_logging_enabled, + control.apigateway_stage_logging_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudtrail_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.elb_application_classic_lb_logging_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.vpc_flow_logs_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_4_20" { + title = "SI-4(20) Privileged Users" + description = "Implement the following additional monitoring of privileged users: [Assignment: organization-defined additional monitoring]." + children = [ + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudtrail_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_4_23" { + title = "SI-4(23) Host-Based Devices" + description = "Implement the following host-based monitoring mechanisms at [Assignment: organization-defined system components]: [Assignment: organization-defined host-based monitoring mechanisms]." + children = [ + control.guardduty_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_4_25" { + title = "SI-4(25) Optimize Network Traffic Analysis" + description = "Provide visibility into network traffic at external and key internal system interfaces to optimize the effectiveness of monitoring devices." + children = [ + control.guardduty_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + + +benchmark "nist_800_53_rev_5_si_5" { + title = "Secuity Alerts, Advisories, And Directives (SI-5)" + description = "a. Receive system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis; b. Generate internal security alerts, advisories, and directives as deemed necessary; c. Disseminate security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and d. Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance." + children = [ + benchmark.nist_800_53_rev_5_si_5_b, + benchmark.nist_800_53_rev_5_si_5_1 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_5_1" { + title = "SI-5(1) Automated Alerts And Advisories" + description = "Broadcast security alert and advisory information throughout the organization using [Assignment: organization-defined automated mechanisms]." + children = [ + control.cloudwatch_alarm_action_enabled, + control.guardduty_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_5_b" { + title = "SI-5(b)" + description = "b. Generate internal security alerts, advisories, and directives as deemed necessary;" + children = [ + control.cloudwatch_alarm_action_enabled, + control.guardduty_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_7" { + title = "Software, Firmware, and Information Integrity (SI-7)" + description = "a. Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: [Assignment: organization-defined software, firmware, and information]; and b. Take the following actions when unauthorized changes to the software, firmware, and information are detected: [Assignment: organization-defined actions]." + children = [ + benchmark.nist_800_53_rev_5_si_7_a, + benchmark.nist_800_53_rev_5_si_7_1, + benchmark.nist_800_53_rev_5_si_7_3, + benchmark.nist_800_53_rev_5_si_7_7, + benchmark.nist_800_53_rev_5_si_7_8, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_7_a" { + title = "SI-7(a)" + description = "a. Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: [Assignment: organization-defined software, firmware, and information];" + children = [ + control.cloudtrail_trail_validation_enabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_7_1" { + title = "SI-7(1) Integrity Checks" + description = "Perform an integrity check of [Assignment: organization-defined software, firmware, and information] [Selection (one or more): at startup; at [Assignment: organization-defined transitional states or security-relevant events]; [Assignment: organization-defined frequency]]." + children = [ + control.cloudtrail_trail_validation_enabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_7_3" { + title = "SI-7(3) Centrally Managed Integrity Tools" + description = "Employ centrally managed integrity verification tools." + children = [ + control.cloudtrail_trail_validation_enabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_7_7" { + title = "SI-7(7) Integration Of Detection And Response" + description = "Incorporate the detection of the following unauthorized changes into the organizational incident response capability: [Assignment: organization-defined security-relevant changes to the system]." + children = [ + control.cloudtrail_trail_validation_enabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_7_8" { + title = "SI-7(8) Auditing Capability For Significant Events" + description = "Upon detection of a potential integrity violation, provide the capability to audit the event and initiate the following actions: [Selection (one or more): generate an audit record; alert current user; alert [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined other actions]]." + children = [ + control.cloudtrail_multi_region_trail_enabled, + control.wafv2_web_acl_logging_enabled, + control.apigateway_stage_logging_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudtrail_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.elb_application_classic_lb_logging_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.vpc_flow_logs_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_10" { + title = "Information Input Validation (SI-10)" + description = "Check the validity of the following information inputs: [Assignment: organization-defined information inputs to the system]." + children = [ + benchmark.nist_800_53_rev_5_si_10_1, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_10_1" { + title = "SI-10(1) Manual Override Capability" + description = "a. Provide a manual override capability for input validation of the following information inputs: [Assignment: organization-defined inputs defined in the base control (SI-10)]; b. Restrict the use of the manual override capability to only [Assignment: organization-defined authorized individuals]; and c. Audit the use of the manual override capability." + children = [ + benchmark.nist_800_53_rev_5_si_10_1_c, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_10_1_c" { + title = "SI-10(1)(c)" + description = "(c) Audit the use of the manual override capability." + children = [ + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudtrail_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_12" { + title = "Information Management and Retention (SI-12)" + description = "Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements." + children = [ + control.cloudwatch_log_group_retention_period_365, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_13" { + title = "Predictable Failure Prevention (SI-13)" + description = "a. Determine mean time to failure (MTTF) for the following system components in specific environments of operation: [Assignment: organization-defined system components]; and b. Provide substitute system components and a means to exchange active and standby components in accordance with the following criteria: Provide [Selection: real-time; near real-time] [Assignment: organization-defined failover capability] for the system.[Assignment: organization-defined MTTF substitution criteria]." + children = [ + benchmark.nist_800_53_rev_5_si_13_5 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_13_5" { + title = "SI-13(5) Failover Capability" + description = "Provide [Selection: real-time; near real-time] [Assignment: organization-defined failover capability] for the system." + children = [ + control.dynamodb_table_in_backup_plan, + control.ebs_volume_in_backup_plan, + control.efs_file_system_in_backup_plan, + control.elb_classic_lb_cross_zone_load_balancing_enabled, + control.rds_db_instance_deletion_protection_enabled, + control.rds_db_instance_protected_by_backup_plan, + control.redshift_cluster_automatic_snapshots_min_7_days, + control.rds_db_instance_backup_enabled, + control.dynamodb_table_auto_scaling_enabled, + control.dynamodb_table_point_in_time_recovery_enabled, + control.elasticache_redis_cluster_automatic_backup_retention_15_days, + control.rds_db_instance_multiple_az_enabled, + control.s3_bucket_cross_region_replication_enabled, + control.s3_bucket_versioning_enabled, + control.vpc_vpn_tunnel_up + ] + + tags = local.nist_800_53_rev_5_common_tags +} + + +benchmark "nist_800_53_rev_5_si_19" { + title = "De-Identification (SI-19)" + description = "a. Remove the following elements of personally identifiable information from datasets: [Assignment: organization-defined elements of personally identifiable information]; and b. Evaluate [Assignment: organization-defined frequency] for effectiveness of de-identification." + children = [ + benchmark.nist_800_53_rev_5_si_19_4 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_si_19_4" { + title = "SI-19(4) Removal, Masking, Encryption, Hashing, Or Replacement Of Direct Identifiers" + description = "Remove, mask, encrypt, hash, or replace direct identifiers in a dataset." + children = [ + control.dynamodb_table_encrypted_with_kms_cmk, + control.ec2_ebs_default_encryption_enabled, + control.rds_db_snapshot_encrypted_at_rest, + control.s3_bucket_default_encryption_enabled_kms, + control.sagemaker_notebook_instance_encryption_at_rest_enabled, + control.apigateway_stage_cache_encryption_at_rest_enabled, + control.cloudtrail_trail_logs_encrypted_with_kms_cmk, + control.log_group_encryption_at_rest_enabled, + control.efs_file_system_encrypt_data_at_rest, + control.es_domain_encryption_at_rest_enabled, + control.ebs_attached_volume_encryption_enabled, + control.rds_db_instance_encryption_at_rest_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.redshift_cluster_kms_enabled, + control.s3_bucket_default_encryption_enabled, + control.sagemaker_endpoint_configuration_encryption_at_rest_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + + From ada1dcc5e23ca1cdef1dd68f70531e5463d6971f Mon Sep 17 00:00:00 2001 From: Khushboo Date: Wed, 25 May 2022 18:47:07 +0530 Subject: [PATCH 04/20] added new benchmarks and controlls --- nist_800_53_rev_5/cp.sp | 450 +++++++++++++++++++++++++ nist_800_53_rev_5/ia.sp | 394 ++++++++++++++++++++++ nist_800_53_rev_5/ir.sp | 29 ++ nist_800_53_rev_5/ma.sp | 60 ++++ nist_800_53_rev_5/mp.sp | 42 +++ nist_800_53_rev_5/nist_800_53_rev_5.sp | 32 ++ nist_800_53_rev_5/pe.sp | 40 +++ nist_800_53_rev_5/pm.sp | 193 +++++++++++ nist_800_53_rev_5/ra.sp | 160 +++++++++ 9 files changed, 1400 insertions(+) create mode 100644 nist_800_53_rev_5/cp.sp create mode 100644 nist_800_53_rev_5/ia.sp create mode 100644 nist_800_53_rev_5/ir.sp create mode 100644 nist_800_53_rev_5/ma.sp create mode 100644 nist_800_53_rev_5/mp.sp create mode 100644 nist_800_53_rev_5/nist_800_53_rev_5.sp create mode 100644 nist_800_53_rev_5/pe.sp create mode 100644 nist_800_53_rev_5/pm.sp create mode 100644 nist_800_53_rev_5/ra.sp diff --git a/nist_800_53_rev_5/cp.sp b/nist_800_53_rev_5/cp.sp new file mode 100644 index 00000000..dc2a01ee --- /dev/null +++ b/nist_800_53_rev_5/cp.sp @@ -0,0 +1,450 @@ +benchmark "nist_800_53_rev_5_cp" { + title = "Contingency Planning (CP)" + description = "The CP control family includes controls specific to an organization's contingency plan if a cybersecurity event should occur. This includes controls like contingency plan testing, updating, training, and backups, and system reconstitution." + children = [ + benchmark.nist_800_53_rev_5_cp_1, + benchmark.nist_800_53_rev_5_cp_2, + benchmark.nist_800_53_rev_5_cp_6, + benchmark.nist_800_53_rev_5_cp_9, + benchmark.nist_800_53_rev_5_cp_10 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cp_1" { + title = "Policy And Procedures (CP-1)" + description = "a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] contingency planning policy that: a). Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b). Is consistent with applicable laws, executive orders, directives regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and c. Review and update the current contingency planning: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]." + children = [ + benchmark.nist_800_53_rev_5_cp_1_a, + benchmark.nist_800_53_rev_5_cp_1_2 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cp_1_a" { + title = "CP-1(a)" + description = "a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] contingency planning policy that: a). Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b). Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls;" + children = [ + benchmark.nist_800_53_rev_5_cp_1_a_1_b, + benchmark.nist_800_53_rev_5_cp_1_a_2, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cp_1_a_1_b" { + title = "CP-1(a)(1)(b)" + description = "a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] contingency planning policy that: (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;" + children = [ + control.elb_classic_lb_cross_zone_load_balancing_enabled, + control.rds_db_instance_deletion_protection_enabled, + control.dynamodb_table_auto_scaling_enabled, + control.elb_application_lb_deletion_protection_enabled, + control.rds_db_instance_multiple_az_enabled, + control.vpc_vpn_tunnel_up, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cp_1_a_2" { + title = "CP-1(a)(2)" + description = "a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 2. Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls;" + children = [ + control.elb_classic_lb_cross_zone_load_balancing_enabled, + control.rds_db_instance_deletion_protection_enabled, + control.dynamodb_table_auto_scaling_enabled, + control.elb_application_lb_deletion_protection_enabled, + control.rds_db_instance_multiple_az_enabled, + control.vpc_vpn_tunnel_up, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cp_1_2" { + title = "CP-1(2)" + description = "Implement transaction recovery for systems that are transaction-based." + children = [ + control.dynamodb_table_in_backup_plan, + control.ebs_volume_in_backup_plan, + control.efs_file_system_in_backup_plan, + control.rds_db_instance_in_backup_plan, + control.redshift_cluster_automatic_snapshots_min_7_days, + control.rds_db_instance_backup_enabled, + control.dynamodb_table_point_in_time_recovery_enabled, + control.elasticache_redis_cluster_automatic_backup_retention_15_days, + control.s3_bucket_cross_region_replication_enabled, + control.s3_bucket_versioning_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cp_2" { + title = "Contingency Plan (CP-2)" + description = "to do" + children = [ + benchmark.nist_800_53_rev_5_cp_2_a, + benchmark.nist_800_53_rev_5_cp_2_d, + benchmark.nist_800_53_rev_5_cp_2_e, + benchmark.nist_800_53_rev_5_cp_2_5, + benchmark.nist_800_53_rev_5_cp_2_6 + + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cp_2_a" { + title = "CP-2(a)" + description = "a. Develop a contingency plan for the system that: 1. Identifies essential mission and business functions and associated contingency requirements; 2. Provides recovery objectives, restoration priorities, and metrics; 3. Addresses contingency roles, responsibilities, assigned individuals with contact information; 4. Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure; 5. Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented; 6. Addresses the sharing of contingency information; and 7. Is reviewed and approved by [Assignment: organization-defined personnel or roles];" + children = [ + control.elb_classic_lb_cross_zone_load_balancing_enabled, + control.rds_db_instance_deletion_protection_enabled, + control.dynamodb_table_auto_scaling_enabled, + control.elb_application_lb_deletion_protection_enabled, + control.rds_db_instance_multiple_az_enabled, + control.vpc_vpn_tunnel_up, + benchmark.nist_800_53_rev_5_cp_2_a_6, + benchmark.nist_800_53_rev_5_cp_2_a_7 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cp_2_a_6" { + title = "CP-2(a)(6)" + description = "a. Develop a contingency plan for the system that: 6. Addresses the sharing of contingency information;" + children = [ + control.elb_classic_lb_cross_zone_load_balancing_enabled, + control.rds_db_instance_deletion_protection_enabled, + control.dynamodb_table_auto_scaling_enabled, + control.elb_application_lb_deletion_protection_enabled, + control.rds_db_instance_multiple_az_enabled, + control.vpc_vpn_tunnel_up, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cp_2_a_7" { + title = "CP-2(a)(7)" + description = "a. Develop a contingency plan for the system that: 7. Is reviewed and approved by [Assignment: organization-defined personnel or roles];" + children = [ + control.elb_classic_lb_cross_zone_load_balancing_enabled, + control.rds_db_instance_deletion_protection_enabled, + control.dynamodb_table_auto_scaling_enabled, + control.elb_application_lb_deletion_protection_enabled, + control.rds_db_instance_multiple_az_enabled, + control.vpc_vpn_tunnel_up, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cp_2_d" { + title = "CP-2(d)" + description = "d. Review the contingency plan for the system [Assignment: organization-defined frequency];" + children = [ + control.elb_classic_lb_cross_zone_load_balancing_enabled, + control.rds_db_instance_deletion_protection_enabled, + control.dynamodb_table_auto_scaling_enabled, + control.elb_application_lb_deletion_protection_enabled, + control.rds_db_instance_multiple_az_enabled, + control.vpc_vpn_tunnel_up, + benchmark.nist_800_53_rev_5_cp_2_a_6, + benchmark.nist_800_53_rev_5_cp_2_a_7 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cp_2_e" { + title = "CP-2(e)" + description = "e. Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;" + children = [ + control.elb_classic_lb_cross_zone_load_balancing_enabled, + control.rds_db_instance_deletion_protection_enabled, + control.dynamodb_table_auto_scaling_enabled, + control.elb_application_lb_deletion_protection_enabled, + control.rds_db_instance_multiple_az_enabled, + control.vpc_vpn_tunnel_up, + benchmark.nist_800_53_rev_5_cp_2_a_6, + benchmark.nist_800_53_rev_5_cp_2_a_7 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cp_2_5" { + title = "CP-2(5) Continue Mission And Business Functions" + description = "Plan for the continuance of [Selection: all; essential] mission and business functions with minimal or no loss of operational continuity and sustains that continuity until full system restoration at primary processing and/or storage sites." + children = [ + control.dynamodb_table_in_backup_plan, + control.ebs_volume_in_backup_plan, + control.efs_file_system_in_backup_plan, + control.elb_classic_lb_cross_zone_load_balancing_enabled, + control.rds_db_instance_deletion_protection_enabled, + control.rds_db_instance_in_backup_plan, + control.redshift_cluster_automatic_snapshots_min_7_days, + control.rds_db_instance_backup_enabled, + control.dynamodb_table_auto_scaling_enabled, + control.dynamodb_table_point_in_time_recovery_enabled, + control.ec2_instance_ebs_optimized, + control.elasticache_redis_cluster_automatic_backup_retention_15_days, + control.elb_application_lb_deletion_protection_enabled, + control.rds_db_instance_multiple_az_enabled, + control.s3_bucket_cross_region_replication_enabled, + control.s3_bucket_versioning_enabled, + control.vpc_vpn_tunnel_up, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cp_2_6" { + title = "CP-2(6) Alternate Processing And Storage Sites" + description = "Plan for the transfer of [Selection: all; essential] mission and business functions to alternate processing and/or storage sites with minimal or no loss of operational continuity and sustain that continuity through system restoration to primary processing and/or storage sites." + children = [ + control.elb_classic_lb_cross_zone_load_balancing_enabled, + control.dynamodb_table_auto_scaling_enabled, + control.rds_db_instance_multiple_az_enabled, + control.vpc_vpn_tunnel_up, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cp_6" { + title = "Alternate Storage Sites (CP-6)" + description = "a. Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and b. Ensure that the alternate storage site provides controls equivalent to that of the primary site." + children = [ + benchmark.nist_800_53_rev_5_cp_6_a, + benchmark.nist_800_53_rev_5_cp_6_1 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cp_6_a" { + title = "CP-6(a)" + description = "a. Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information;" + children = [ + control.dynamodb_table_in_backup_plan, + control.ebs_volume_in_backup_plan, + control.efs_file_system_in_backup_plan, + control.rds_db_instance_in_backup_plan, + control.redshift_cluster_automatic_snapshots_min_7_days, + control.rds_db_instance_backup_enabled, + control.elasticache_redis_cluster_automatic_backup_retention_15_days, + control.s3_bucket_cross_region_replication_enabled, + control.s3_bucket_versioning_enabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cp_6_1" { + title = "CP-6(1) Separation From Primary Site" + description = "Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats." + children = [ + control.dynamodb_table_in_backup_plan, + control.ebs_volume_in_backup_plan, + control.efs_file_system_in_backup_plan, + control.rds_db_instance_in_backup_plan, + control.redshift_cluster_automatic_snapshots_min_7_days, + control.rds_db_instance_backup_enabled, + control.elasticache_redis_cluster_automatic_backup_retention_15_days, + control.s3_bucket_cross_region_replication_enabled, + control.s3_bucket_versioning_enabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cp_6_2" { + title = "CP-6(2) Recovery Time And Recovery Point Objectives" + description = "Configure the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives." + children = [ + control.dynamodb_table_in_backup_plan, + control.ebs_volume_in_backup_plan, + control.efs_file_system_in_backup_plan, + control.elb_classic_lb_cross_zone_load_balancing_enabled, + control.rds_db_instance_in_backup_plan, + control.redshift_cluster_automatic_snapshots_min_7_days, + control.rds_db_instance_backup_enabled, + control.dynamodb_table_auto_scaling_enabled, + control.dynamodb_table_point_in_time_recovery_enabled, + control.elasticache_redis_cluster_automatic_backup_retention_15_days, + control.rds_db_instance_multiple_az_enabled, + control.s3_bucket_cross_region_replication_enabled, + control.s3_bucket_versioning_enabled, + control.vpc_vpn_tunnel_up, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cp_9" { + title = "System Backup (CP-9)" + description = "a. Conduct backups of user-level information contained in [Assignment: organization-defined system components] [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; b. Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; c. Conduct backups of system documentation, including security- and privacy-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and d. Protect the confidentiality, integrity, and availability of backup information." + children = [ + benchmark.nist_800_53_rev_5_cp_9_a, + benchmark.nist_800_53_rev_5_cp_9_b, + benchmark.nist_800_53_rev_5_cp_9_c, + benchmark.nist_800_53_rev_5_cp_9_d, + benchmark.nist_800_53_rev_5_cp_9_8 + + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cp_9_a" { + title = "CP-9(a)" + description = "a. Conduct backups of user-level information contained in [Assignment: organization-defined system components] [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];" + children = [ + control.dynamodb_table_in_backup_plan, + control.ebs_volume_in_backup_plan, + control.efs_file_system_in_backup_plan, + control.rds_db_instance_in_backup_plan, + control.redshift_cluster_automatic_snapshots_min_7_days, + control.rds_db_instance_backup_enabled, + control.dynamodb_table_point_in_time_recovery_enabled, + control.ec2_instance_ebs_optimized, + control.elasticache_redis_cluster_automatic_backup_retention_15_days, + control.redshift_cluster_maintenance_settings_check, + control.s3_bucket_cross_region_replication_enabled, + control.s3_bucket_versioning_enabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cp_9_b" { + title = "CP-9(b)" + description = "b. Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];" + children = [ + control.dynamodb_table_in_backup_plan, + control.ebs_volume_in_backup_plan, + control.efs_file_system_in_backup_plan, + control.rds_db_instance_in_backup_plan, + control.redshift_cluster_automatic_snapshots_min_7_days, + control.rds_db_instance_backup_enabled, + control.dynamodb_table_point_in_time_recovery_enabled, + control.ec2_instance_ebs_optimized, + control.elasticache_redis_cluster_automatic_backup_retention_15_days, + control.redshift_cluster_maintenance_settings_check, + control.s3_bucket_cross_region_replication_enabled, + control.s3_bucket_versioning_enabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cp_9_c" { + title = "CP-9(c)" + description = "c. Conduct backups of system documentation, including security- and privacy-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];" + children = [ + control.dynamodb_table_in_backup_plan, + control.ebs_volume_in_backup_plan, + control.efs_file_system_in_backup_plan, + control.rds_db_instance_in_backup_plan, + control.redshift_cluster_automatic_snapshots_min_7_days, + control.rds_db_instance_backup_enabled, + control.dynamodb_table_point_in_time_recovery_enabled, + control.ec2_instance_ebs_optimized, + control.elasticache_redis_cluster_automatic_backup_retention_15_days, + control.redshift_cluster_maintenance_settings_check, + control.s3_bucket_cross_region_replication_enabled, + control.s3_bucket_versioning_enabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cp_9_d" { + title = "CP-9(d)" + description = "d. Protect the confidentiality, integrity, and availability of backup information." + children = [ + control.dynamodb_table_in_backup_plan, + control.ec2_ebs_default_encryption_enabled, + control.rds_db_snapshot_encrypted_at_rest, + control.s3_bucket_default_encryption_enabled_kms, + control.sagemaker_notebook_instance_encryption_at_rest_enabled, + control.sns_topic_encrypted_at_rest, + control.apigateway_stage_cache_encryption_at_rest_enabled, + control.cloudtrail_trail_logs_encrypted_with_kms_cmk, + control.log_group_encryption_at_rest_enabled, + control.efs_file_system_encrypt_data_at_rest, + control.es_domain_encryption_at_rest_enabled, + control.ebs_attached_volume_encryption_enabled, + control.rds_db_instance_encryption_at_rest_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.redshift_cluster_kms_enabled, + control.s3_bucket_default_encryption_enabled, + control.sagemaker_endpoint_configuration_encryption_at_rest_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cp_9_8" { + title = "CP-9(8) Cryptographic Protection" + description = "Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined backup information]." + children = [ + control.rds_db_snapshot_encrypted_at_rest, + control.s3_bucket_default_encryption_enabled_kms, + control.s3_bucket_default_encryption_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cp_10" { + title = "System Recovery And Reconstitution (CP-10)" + description = "Provide for the recovery and reconstitution of the system to a known state within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] after a disruption, compromise, or failure." + children = [ + control.dynamodb_table_in_backup_plan, + control.ebs_volume_in_backup_plan, + control.efs_file_system_in_backup_plan, + control.elb_classic_lb_cross_zone_load_balancing_enabled, + control.rds_db_instance_in_backup_plan, + control.redshift_cluster_automatic_snapshots_min_7_days, + control.rds_db_instance_backup_enabled, + control.dynamodb_table_auto_scaling_enabled, + control.dynamodb_table_point_in_time_recovery_enabled, + control.ec2_instance_ebs_optimized, + control.elasticache_redis_cluster_automatic_backup_retention_15_days, + control.rds_db_instance_multiple_az_enabled, + control.s3_bucket_cross_region_replication_enabled, + control.s3_bucket_versioning_enabled, + control.vpc_vpn_tunnel_up, + benchmark.nist_800_53_rev_5_cp_10_2 + + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_cp_10_2" { + title = "CP-10(2) Transaction Recovery (CP-10)" + description = "Implement transaction recovery for systems that are transaction-based." + children = [ + control.dynamodb_table_in_backup_plan, + control.ebs_volume_in_backup_plan, + control.efs_file_system_in_backup_plan, + control.rds_db_instance_in_backup_plan, + control.redshift_cluster_automatic_snapshots_min_7_days, + control.rds_db_instance_backup_enabled, + control.dynamodb_table_point_in_time_recovery_enabled, + control.elasticache_redis_cluster_automatic_backup_retention_15_days, + control.s3_bucket_cross_region_replication_enabled, + control.s3_bucket_versioning_enabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} \ No newline at end of file diff --git a/nist_800_53_rev_5/ia.sp b/nist_800_53_rev_5/ia.sp new file mode 100644 index 00000000..c9f8b3a4 --- /dev/null +++ b/nist_800_53_rev_5/ia.sp @@ -0,0 +1,394 @@ +benchmark "nist_800_53_rev_5_ia" { + title = "Identification and Authentication (IA)" + description = "IA controls are specific to the identification and authentication policies in an organization. This includes the identification and authentication of organizational and non-organizational users and how the management of those systems." + children = [ + benchmark.nist_800_53_rev_5_ia_2, + benchmark.nist_800_53_rev_5_ia_3, + benchmark.nist_800_53_rev_5_ia_5, + benchmark.nist_800_53_rev_5_ia_8 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ia_2" { + title = "Identification and Authentication (Organizational users) (IA-2)" + description = "The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users)." + children = [ + control.iam_root_user_no_access_keys, + benchmark.nist_800_53_rev_5_ia_2_1, + benchmark.nist_800_53_rev_5_ia_2_2, + benchmark.nist_800_53_rev_5_ia_2_6, + benchmark.nist_800_53_rev_5_ia_2_8 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ia_2_1" { + title = "IA-2(1) Multi-Factor Authentication To Privileged Accounts" + description = "Implement multi-factor authentication for access to privileged accounts." + children = [ + control.iam_user_mfa_enabled, + control.iam_user_console_access_mfa_enabled, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) +} + +benchmark "nist_800_53_rev_5_ia_2_2" { + title = "IA-2(2) Multi-Factor Authentication To Non-Privileged Accounts" + description = "Implement multi-factor authentication for access to non-privileged accounts." + children = [ + control.iam_user_console_access_mfa_enabled, + control.iam_user_mfa_enabled, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) +} + +benchmark "nist_800_53_rev_5_ia_2_6" { + title = "IA-2(6) Acces To Accounts — Separate Device" + description = "Implement multi-factor authentication for [Selection (one or more): local; network; remote] access to [Selection (one or more): privileged accounts; non-privileged accounts] such that: (a) One of the factors is provided by a device separate from the system gaining access; and (b) The device meets [Assignment: organization-defined strength of mechanism requirements]." + children = [ + control.iam_user_console_access_mfa_enabled, + control.iam_user_mfa_enabled, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + benchmark.nist_800_53_rev_5_ia_2_6_a + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) +} + +benchmark "nist_800_53_rev_5_ia_2_6_a" { + title = "IA-2(6)(a)" + description = "Implement multi-factor authentication for [Selection (one or more): local; network; remote] access to [Selection (one or more): privileged accounts; non-privileged accounts] such that: (a) One of the factors is provided by a device separate from the system gaining access;" + children = [ + control.iam_user_console_access_mfa_enabled, + control.iam_user_mfa_enabled, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) +} + +benchmark "nist_800_53_rev_5_ia_2_8" { + title = "IA-2(8) Access To Accounts — Replay Resistant" + description = "Implement replay-resistant authentication mechanisms for access to [Selection (one or more): privileged accounts; non-privileged accounts]." + children = [ + control.iam_user_console_access_mfa_enabled, + control.iam_user_mfa_enabled, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) +} + +benchmark "nist_800_53_rev_5_ia_3" { + title = "Device Identification And Authentication (IA-3)" + description = "Uniquely identify and authenticate [Assignment: organization-defined devices and/or types of devices] before establishing a [Selection (one or more): local; remote; network] connection." + children = [ + benchmark.nist_800_53_rev_5_ia_3_3 + + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ia_3_3" { + title = "IA-3(3) Dynamic Address Allocation" + description = "a. Where addresses are allocated dynamically, standardize dynamic address allocation lease information and the lease duration assigned to devices in accordance with [Assignment: organization-defined lease information and lease duration]; and b. Audit lease information when assigned to a device." + children = [ + benchmark.nist_800_53_rev_5_ia_3_3_b + + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ia_3_3_b" { + title = "IA-3(3)(b)" + description = "(b) Audit lease information when assigned to a device." + children = [ + control.cloudtrail_multi_region_trail_enabled, + control.wafv2_web_acl_logging_enabled, + control.apigateway_stage_logging_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudtrail_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.elb_application_classic_lb_logging_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.vpc_flow_logs_enabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ia_4" { + title = "Identifier Management (IA-4)" + description = "Manage information system identifiers for users and devices. Automate authorizing and disabling users to prevent misuse." + children = [ + benchmark.nist_800_53_rev_5_ia_4_b, + benchmark.nist_800_53_rev_5_ia_4_d, + benchmark.nist_800_53_rev_5_ia_4_4, + benchmark.nist_800_53_rev_5_ia_4_8 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ia_4_b" { + title = "IA-4(b)" + description = "Manage system identifiers by: b. Selecting an identifier that identifies an individual, group, role, service, or device;" + children = [ + control.iam_root_user_no_access_keys + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ia_4_d" { + title = "IA-4(d)" + description = "Manage system identifiers by: d. Preventing reuse of identifiers for [Assignment: organization-defined time period]." + children = [ + control.iam_account_password_policy_min_length_14 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ia_4_4" { + title = "IA-4(4)" + description = "Manage individual identifiers by uniquely identifying each individual as [Assignment: organization-defined characteristic identifying individual status]." + children = [ + control.iam_root_user_no_access_keys + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ia_4_8" { + title = "IA-4(8)" + description = "Generate pairwise pseudonymous identifiers." + children = [ + control.iam_root_user_no_access_keys + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ia_5" { + title = "Authenticator Management (IA-5)" + description = "Authenticate users and devices. Automate administrative control. Enforce restrictions. Protect against unauthorized use." + children = [ + control.iam_account_password_policy_min_length_14, + benchmark.nist_800_53_rev_5_ia_5_b, + benchmark.nist_800_53_rev_5_ia_5_c, + benchmark.nist_800_53_rev_5_ia_5_d, + benchmark.nist_800_53_rev_5_ia_5_f, + benchmark.nist_800_53_rev_5_ia_5_h, + benchmark.nist_800_53_rev_5_ia_5_1, + benchmark.nist_800_53_rev_5_ia_5_8, + benchmark.nist_800_53_rev_5_ia_5_18 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ia_5_b" { + title = "IA-5(b)" + description = "Manage system authenticators by: b. Establishing initial authenticator content for any authenticators issued by the organization;" + children = [ + control.iam_account_password_policy_min_length_14, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ia_5_c" { + title = "IA-5(c)" + description = "Manage system authenticators by: c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;" + children = [ + control.iam_account_password_policy_min_length_14, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ia_5_d" { + title = "IA-5(d)" + description = "Manage system authenticators by: d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;" + children = [ + control.iam_account_password_policy_min_length_14, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ia_5_f" { + title = "IA-5(f)" + description = "Manage system authenticators by: f. Changing or refreshing authenticators [Assignment: organization-defined time period by authenticator type] or when [Assignment: organization-defined events] occur;" + children = [ + control.iam_account_password_policy_min_length_14, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ia_5_h" { + title = "IA-5(h)" + description = "Manage system authenticators by: h. Requiring individuals to take, and having devices implement, specific controls to protect authenticators;" + children = [ + control.iam_account_password_policy_min_length_14, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ia_5_1" { + title = "IA-5(1) Password-Based Authentication" + description = "The information system, for password-based authentication that enforces minimum password complexity, stores and transmits only cryptographically-protected passwords, enforces password minimum and maximum lifetime restrictions, prohibits password reuse, allows the use of a temporary password for system logons with an immediate change to a permanent password etc." + children = [ + benchmark.nist_800_53_rev_5_ia_5_1_c, + benchmark.nist_800_53_rev_5_ia_5_1_f, + benchmark.nist_800_53_rev_5_ia_5_1_g, + benchmark.nist_800_53_rev_5_ia_5_1_h + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ia_5_1_c" { + title = "IA-5(1)(c)" + description = "For password-based authentication: (c) Transmit passwords only over cryptographically-protected channels;" + children = [ + control.elb_classic_lb_use_tls_https_listeners, + control.elb_application_lb_redirect_http_request_to_https, + control.apigateway_rest_api_stage_use_ssl_certificate, + control.elb_classic_lb_use_ssl_certificate, + control.s3_bucket_enforces_ssl + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ia_5_1_f" { + title = "IA-5(1)(f)" + description = "For password-based authentication: (f) Allow user selection of long passwords and passphrases, including spaces and all printable characters;" + children = [ + control.iam_account_password_policy_min_length_14 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ia_5_1_g" { + title = "IA-5(1)(g)" + description = "For password-based authentication: (g) Employ automated tools to assist the user in selecting strong password authenticators;" + children = [ + control.iam_account_password_policy_min_length_14 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ia_5_1_h" { + title = "IA-5(1)(h)" + description = "For password-based authentication: (h) Enforce the following composition and complexity rules: [Assignment: organization-defined composition and complexity rules]." + children = [ + control.iam_account_password_policy_min_length_14 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ia_5_8" { + title = "IA-5(8) Multiple System Accounts" + description = "Implement [Assignment: organization-defined security controls] to manage the risk of compromise due to individuals having accounts on multiple systems." + children = [ + control.iam_root_user_no_access_keys + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ia_5_18" { + title = "IA-5(18) Password Managers" + description = "a. Employ [Assignment: organization-defined password managers] to generate and manage passwords; and b. Protect the passwords using [Assignment: organization-defined controls]." + children = [ + benchmark.nist_800_53_rev_5_ia_5_18_a, + benchmark.nist_800_53_rev_5_ia_5_18_b + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ia_5_18_a" { + title = "IA-5(18)(a)" + description = "(a) Employ [Assignment: organization-defined password managers] to generate and manage passwords;" + children = [ + control.iam_account_password_policy_min_length_14 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ia_5_18_b" { + title = "IA-5(18)(b)" + description = "(b) Protect the passwords using [Assignment: organization-defined controls]." + children = [ + control.iam_account_password_policy_min_length_14 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ia_8" { + title = "Identification And Authentication (Non-Organizational Users) (IA-8)" + description = "Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users." + children = [ + benchmark.nist_800_53_rev_5_ia_8_2 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ia_8_2" { + title = "IA-8(2) Acceptance Of External Authenticators" + description = "Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users." + children = [ + benchmark.nist_800_53_rev_5_ia_8_2_b + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ia_8_2_b" { + title = "IA-8(2)(b)" + description = "(b) Document and maintain a list of accepted external authenticators." + children = [ + control.iam_account_password_policy_min_length_14 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + diff --git a/nist_800_53_rev_5/ir.sp b/nist_800_53_rev_5/ir.sp new file mode 100644 index 00000000..5f46ea8e --- /dev/null +++ b/nist_800_53_rev_5/ir.sp @@ -0,0 +1,29 @@ +benchmark "nist_800_53_rev_5_ir" { + title = "Incident Response (IR)" + description = "IR controls are specific to an organization’s incident response policies and procedures. This includes incident response training, testing, monitoring, reporting, and response plan." + children = [ + benchmark.nist_800_53_rev_5_ir_4 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ir_4" { + title = "Incident Handling (IR-4)" + description = "a. Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;b. Coordinate incident handling activities with contingency planning activities; c. Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and d. Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization." + children = [ + benchmark.nist_800_53_rev_5_ir_4_a + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ir_4_a" { + title = "IR-4(a)" + description = "a. Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;" + children = [ + control.guardduty_finding_archived + ] + + tags = local.nist_800_53_rev_5_common_tags +} diff --git a/nist_800_53_rev_5/ma.sp b/nist_800_53_rev_5/ma.sp new file mode 100644 index 00000000..3294d327 --- /dev/null +++ b/nist_800_53_rev_5/ma.sp @@ -0,0 +1,60 @@ +benchmark "nist_800_53_rev_5_ma" { + title = "Maintenance (MA)" + description = "The MA controls in NIST 800-53 revision five detail requirements for maintaining organizational systems and the tools used." + children = [ + benchmark.nist_800_53_rev_5_ma_4, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ma_4" { + title = "Nonlocal Maintenance (MA-4)" + description = "a. Approve and monitor nonlocal maintenance and diagnostic activities; b. Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system; c. Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions; d. Maintain records for nonlocal maintenance and diagnostic activities; and e. Terminate session and network connections when nonlocal maintenance is completed." + children = [ + benchmark.nist_800_53_rev_5_ma_4_c, + benchmark.nist_800_53_rev_5_ma_4_1, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ma_4_c" { + title = "MA-4(c)" + description = "c. Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions;" + children = [ + control.iam_account_password_policy_min_length_14 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ma_4_1" { + title = "MA-4(1) Logging And Review" + description = "a. Log [Assignment: organization-defined audit events] for nonlocal maintenance and diagnostic sessions; and b. Review the audit records of the maintenance and diagnostic sessions to detect anomalous behavior." + children = [ + benchmark.nist_800_53_rev_5_ma_4_1_a, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ma_4_1_a" { + title = "MA-4(1)(a)" + description = "(a) Log [Assignment: organization-defined audit events] for nonlocal maintenance and diagnostic sessions;" + children = [ + control.cloudtrail_multi_region_trail_enabled, + control.wafv2_web_acl_logging_enabled, + control.apigateway_stage_logging_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudtrail_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.elb_application_classic_lb_logging_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.vpc_flow_logs_enabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} \ No newline at end of file diff --git a/nist_800_53_rev_5/mp.sp b/nist_800_53_rev_5/mp.sp new file mode 100644 index 00000000..19908989 --- /dev/null +++ b/nist_800_53_rev_5/mp.sp @@ -0,0 +1,42 @@ +benchmark "nist_800_53_rev_5_mp" { + title = "Media Protection (MP)" + description = "The Media Protection control family includes controls specific to access, marking, storage, transport policies, sanitization, and defined organizational media use." + children = [ + benchmark.nist_800_53_rev_5_mp_2 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_mp_2" { + title = "Media Access (MP-2)" + description = "Restrict access to [Assignment: organization-defined types of digital and/or non-digital media] to [Assignment: organization-defined personnel or roles]." + children = [ + control.ec2_instance_uses_imdsv2, + control.iam_group_user_role_no_inline_policies, + control.ec2_instance_in_vpc, + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_not_publicly_accessible, + control.es_domain_in_vpc, + control.emr_cluster_master_nodes_no_public_ip, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys, + control.iam_user_in_group, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.lambda_function_in_vpc, + control.lambda_function_restrict_public_access, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_subnet_auto_assign_public_ip_disabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} \ No newline at end of file diff --git a/nist_800_53_rev_5/nist_800_53_rev_5.sp b/nist_800_53_rev_5/nist_800_53_rev_5.sp new file mode 100644 index 00000000..60c9c44e --- /dev/null +++ b/nist_800_53_rev_5/nist_800_53_rev_5.sp @@ -0,0 +1,32 @@ +locals { + nist_800_53_rev_5_common_tags = merge(local.aws_compliance_common_tags, { + nist_800_53_rev_5 = "true" + type = "Benchmark" + }) +} + +benchmark "nist_800_53_rev_5" { + title = "NIST 800-53 Revision 5" + description = "NIST 800-53 is a regulatory standard that defines the minimum baseline of security controls for all U.S. federal information systems except those related to national security." + documentation = file("./nist_800_53_rev_5/docs/nist_800_53_rev_5_overview.md") + + children = [ + benchmark.nist_800_53_rev_5_ac, + benchmark.nist_800_53_rev_5_au, + benchmark.nist_800_53_rev_5_ca, + benchmark.nist_800_53_rev_5_cm, + benchmark.nist_800_53_rev_5_cp, + benchmark.nist_800_53_rev_5_ia, + benchmark.nist_800_53_rev_5_ir, + benchmark.nist_800_53_rev_5_ma, + benchmark.nist_800_53_rev_5_mp, + benchmark.nist_800_53_rev_5_pe, + benchmark.nist_800_53_rev_5_pm, + benchmark.nist_800_53_rev_5_ra, + # benchmark.nist_800_53_rev_5_sa, + benchmark.nist_800_53_rev_5_sc, + benchmark.nist_800_53_rev_5_si + ] + + tags = local.nist_800_53_rev_5_common_tags +} diff --git a/nist_800_53_rev_5/pe.sp b/nist_800_53_rev_5/pe.sp new file mode 100644 index 00000000..2a9eb151 --- /dev/null +++ b/nist_800_53_rev_5/pe.sp @@ -0,0 +1,40 @@ +benchmark "nist_800_53_rev_5_pe" { + title = "Physical And Environmental Protection (PE)" + description = "The Physical and Environmental Protection control family is implemented to protect systems, buildings, and related supporting infrastructure against physical threats. These controls include physical access authorizations, monitoring, visitor records, emergency shutoff, power, lighting, fire protection, and water damage protection." + children = [ + benchmark.nist_800_53_rev_5_pe_6 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_pe_6" { + title = "Monitoring Physical Access (PE-6)" + description = "a. Monitor physical access to the facility where the system resides to detect and respond to physical security incidents; b. Review physical access logs [Assignment: organization-defined frequency] and upon occurrence of [Assignment: organization-defined events or potential indications of events]; and c. Coordinate results of reviews and investigations with the organizational incident response capability." + children = [ + benchmark.nist_800_53_rev_5_pe_6_2, + benchmark.nist_800_53_rev_5_pe_6_4 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_pe_6_2" { + title = "PE-6(2) Monitoring Physical Access" + description = "Recognize [Assignment: organization-defined classes or types of intrusions] and initiate [Assignment: organization-defined response actions] using [Assignment: organization-defined automated mechanisms]." + children = [ + control.guardduty_enabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_pe_6_4" { + title = "PE-6(4) Monitoring Physical Access" + description = "Monitor physical access to the system in addition to the physical access monitoring of the facility at [Assignment: organization-defined physical spaces containing one or more components of the system]." + children = [ + control.guardduty_enabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} \ No newline at end of file diff --git a/nist_800_53_rev_5/pm.sp b/nist_800_53_rev_5/pm.sp new file mode 100644 index 00000000..77a25e88 --- /dev/null +++ b/nist_800_53_rev_5/pm.sp @@ -0,0 +1,193 @@ +benchmark "nist_800_53_rev_5_pm" { + title = "Program Management (PM)" + description = "The PM control family is specific to who manages your cybersecurity program and how it operates. This includes, but is not limited to, a critical infrastructure plan, information security program plan, plan of action milestones and processes, risk management strategy, and enterprise architecture." + children = [ + benchmark.nist_800_53_rev_5_pm_11, + benchmark.nist_800_53_rev_5_pm_14, + benchmark.nist_800_53_rev_5_pm_16, + benchmark.nist_800_53_rev_5_pm_17, + benchmark.nist_800_53_rev_5_pm_21, + benchmark.nist_800_53_rev_5_pm_31 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_pm_11" { + title = "Mission And Business Process Defination (PM-11)" + description = "a. Define organizational mission and business processes with consideration for information security and privacy and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and b. Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes; and c. Review and revise the mission and business processes [Assignment: organization-defined frequency]." + children = [ + benchmark.nist_800_53_rev_5_pm_11_b + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_pm_11_b" { + title = "PM-11(b)" + description = "b. Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes;" + children = [ + control.cloudtrail_trail_validation_enabled, + control.s3_bucket_default_encryption_enabled, + control.s3_bucket_enforces_ssl, + control.s3_bucket_versioning_enabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_pm_14" { + title = "Testing, Training, And Monitoring (PM-14)" + description = "a. Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems: 1. Are developed and maintained; and 2. Continue to be executed; and b. Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions." + children = [ + benchmark.nist_800_53_rev_5_pm_14_a_1, + benchmark.nist_800_53_rev_5_pm_14_b + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_pm_14_a_1" { + title = "PM-14(a)(1)" + description = "a. Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems: 1. Are developed and maintained;" + children = [ + control.cloudwatch_log_group_retention_period_365, + control.lambda_function_concurrent_execution_limit_configured, + control.lambda_function_dead_letter_queue_configured, + control.cloudtrail_multi_region_trail_enabled, + control.rds_db_instance_and_cluster_enhanced_monitoring_enabled, + control.rds_db_instance_logging_enabled, + control.securityhub_enabled, + control.wafv2_web_acl_logging_enabled, + control.apigateway_stage_logging_enabled, + control.autoscaling_group_with_lb_use_health_check, + control.elastic_beanstalk_enhanced_health_reporting_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudtrail_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudwatch_alarm_action_enabled, + control.elb_application_classic_lb_logging_enabled, + control.guardduty_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.vpc_flow_logs_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_pm_14_b" { + title = "PM-14(b)" + description = "b. Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions." + children = [ + control.cloudwatch_log_group_retention_period_365, + control.lambda_function_concurrent_execution_limit_configured, + control.lambda_function_dead_letter_queue_configured, + control.cloudtrail_multi_region_trail_enabled, + control.rds_db_instance_and_cluster_enhanced_monitoring_enabled, + control.rds_db_instance_logging_enabled, + control.securityhub_enabled, + control.wafv2_web_acl_logging_enabled, + control.apigateway_stage_logging_enabled, + control.autoscaling_group_with_lb_use_health_check, + control.elastic_beanstalk_enhanced_health_reporting_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudtrail_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudwatch_alarm_action_enabled, + control.elb_application_classic_lb_logging_enabled, + control.guardduty_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.vpc_flow_logs_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_pm_16" { + title = "Threat Awareness Program (PM-16)" + description = "Implement a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence." + children = [ + control.guardduty_enabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_pm_17" { + title = "Protecting Controlled Unclassified Information On External Systems (PM-17)" + description = "a. Establish policy and procedures to ensure that requirements for the protection of controlled unclassified information that is processed, stored or transmitted on external systems, are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards; and b. Review and update the policy and procedures [Assignment: organization-defined frequency]." + children = [ + benchmark.nist_800_53_rev_5_pm_17_b, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_pm_17_b" { + title = "PM-17(b)" + description = "b. Review and update the policy and procedures [Assignment: organization-defined frequency]." + children = [ + control.es_domain_node_to_node_encryption_enabled, + control.elb_classic_lb_use_tls_https_listeners, + control.elb_application_lb_redirect_http_request_to_https, + control.apigateway_rest_api_stage_use_ssl_certificate, + control.cloudtrail_trail_validation_enabled, + control.elb_classic_lb_use_ssl_certificate, + control.redshift_cluster_encryption_in_transit_enabled, + control.s3_bucket_enforces_ssl, + control.s3_bucket_versioning_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_pm_21" { + title = "Accounting Of Disclosures (PM-21)" + description = "a. Develop and maintain an accurate accounting of disclosures of personally identifiable information, including: 1. Date, nature, and purpose of each disclosure; and 2. Name and address, or other contact information of the individual or organization to which the disclosure was made; b. Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer; and c. Make the accounting of disclosures available to the individual to whom the personally identifiable information relates upon request." + children = [ + benchmark.nist_800_53_rev_5_pm_21_b + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_pm_21_b" { + title = "PM-21(b)" + description = "b. Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer;" + children = [ + control.cloudwatch_log_group_retention_period_365 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_pm_31" { + title = "Continuous Monitoring Strategy (PM-31)" + description = "Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: a. Establishing the following organization-wide metrics to be monitored: [Assignment: organization-defined metrics]; b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; c. Ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy; d. Correlation and analysis of information generated by control assessments and monitoring; e. Response actions to address results of the analysis of control assessment and monitoring information; and f. Reporting the security and privacy status of organizational systems to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]." + children = [ + control.cloudwatch_log_group_retention_period_365, + control.lambda_function_concurrent_execution_limit_configured, + control.lambda_function_dead_letter_queue_configured, + control.cloudtrail_multi_region_trail_enabled, + control.rds_db_instance_and_cluster_enhanced_monitoring_enabled, + control.rds_db_instance_logging_enabled, + control.securityhub_enabled, + control.wafv2_web_acl_logging_enabled, + control.apigateway_stage_logging_enabled, + control.autoscaling_group_with_lb_use_health_check, + control.elastic_beanstalk_enhanced_health_reporting_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudtrail_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudwatch_alarm_action_enabled, + control.elb_application_classic_lb_logging_enabled, + control.guardduty_enabled, + control.redshift_cluster_encryption_logging_enabled, + control.s3_bucket_logging_enabled, + control.vpc_flow_logs_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} \ No newline at end of file diff --git a/nist_800_53_rev_5/ra.sp b/nist_800_53_rev_5/ra.sp new file mode 100644 index 00000000..67b97380 --- /dev/null +++ b/nist_800_53_rev_5/ra.sp @@ -0,0 +1,160 @@ +benchmark "nist_800_53_rev_5_ra" { + title = "Risk Assessment (RA)" + description = "The RA control family relates to an organization’s risk assessment policies and vulnerability scanning capabilities. Using an integrated risk management solution like CyberStrong can help streamline and automate your NIST 800 53 compliance efforts." + children = [ + benchmark.nist_800_53_rev_5_ra_1, + benchmark.nist_800_53_rev_5_ra_3, + benchmark.nist_800_53_rev_5_ra_5, + benchmark.nist_800_53_rev_5_ra_10 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ra_1" { + title = "Policy And Procedures (RA-1)" + description = "Track risk assessment policies that address purpose, scope, roles, management, and organizational compliance." + children = [ + benchmark.nist_800_53_rev_5_ra_1_a, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ra_1_a" { + title = "RA-1(a)" + description = "a. Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems; and 2. Detect, track, and disrupt threats that evade existing controls;" + children = [ + control.guardduty_enabled, + benchmark.nist_800_53_rev_5_ra_1_a_1, + benchmark.nist_800_53_rev_5_ra_1_a_2 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ra_1_a_1" { + title = "RA-1(a)(1)" + description = "a. Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems;" + children = [ + control.guardduty_enabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ra_1_a_2" { + title = "RA-1(a)(2)" + description = "a. Establish and maintain a cyber threat hunting capability to: 2. Detect, track, and disrupt threats that evade existing controls;" + children = [ + control.guardduty_enabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ra_3" { + title = "Risk Assessment (RA-3)" + description = "Assess risks and magnitude of unauthorized system access, use, disclosure, disruption, modifications, or destruction." + children = [ + benchmark.nist_800_53_rev_5_ra_3_a_1, + benchmark.nist_800_53_rev_5_ra_3_4 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ra_3_a_1" { + title = "RA-3(a)(1)" + description = "a. Conduct a risk assessment, including: 1. Identifying threats to and vulnerabilities in the system;" + children = [ + control.guardduty_enabled, + control.ssm_managed_instance_compliance_patch_compliant + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ra_3_4" { + title = "RA-3(4) Predictive Cyber Analytics" + description = "Employ the following advanced automation and analytics capabilities to predict and identify risks to [Assignment: organization-defined systems or system components]: [Assignment: organization-defined advanced automation and analytics capabilities]." + children = [ + control.guardduty_enabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ra_5" { + title = "Vulnerability Monitoring And Scanning (RA-5)" + description = "Employ the following advanced automation and analytics capabilities to predict and identify risks to [Assignment: organization-defined systems or system components]: [Assignment: organization-defined advanced automation and analytics capabilities]." + children = [ + benchmark.nist_800_53_rev_5_ra_5_a, + benchmark.nist_800_53_rev_5_ra_5_4 + + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ra_5_a" { + title = "RA-5(a)" + description = "a. Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported;" + children = [ + control.guardduty_enabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ra_5_4" { + title = "RA-5(4) Discoverable Information" + description = "Determine information about the system that is discoverable and take [Assignment: organization-defined corrective actions]." + children = [ + control.guardduty_enabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ra_10" { + title = "Threat Hunting (RA-10)" + description = "a. Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems; and 2. Detect, track, and disrupt threats that evade existing controls; and b. Employ the threat hunting capability [Assignment: organization-defined frequency]." + children = [ + benchmark.nist_800_53_rev_5_ra_10_a, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ra_10_a" { + title = "RA-10(a)" + description = "a. Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems; and 2. Detect, track, and disrupt threats that evade existings;" + children = [ + benchmark.nist_800_53_rev_5_ra_10_a_1, + benchmark.nist_800_53_rev_5_ra_10_a_2, + control.guardduty_enabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ra_10_a_1" { + title = "RA-10(a)(1)" + description = "a. Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems; and 2. Detect, track, and disrupt threats that evade existings;" + children = [ + control.guardduty_enabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_ra_10_a_2" { + title = "RA-10(a)(2)" + description = "a. Establish and maintain a cyber threat hunting capability to: 2. Detect, track, and disrupt threats that evade existings;" + children = [ + control.guardduty_enabled, + ] + + tags = local.nist_800_53_rev_5_common_tags +} \ No newline at end of file From d5ff92dc780b0528e13922b233a3753f28a4e135 Mon Sep 17 00:00:00 2001 From: Khushboo Date: Wed, 25 May 2022 19:21:17 +0530 Subject: [PATCH 05/20] update --- conformance_pack/acm.sp | 1 + conformance_pack/apigateway.sp | 5 +++++ conformance_pack/autoscaling.sp | 2 ++ conformance_pack/cloudtrail.sp | 6 ++++++ conformance_pack/cloudwatch.sp | 3 +++ conformance_pack/dms.sp | 1 + conformance_pack/dynamodb.sp | 4 ++++ conformance_pack/ebs.sp | 8 ++++++-- 8 files changed, 28 insertions(+), 2 deletions(-) diff --git a/conformance_pack/acm.sp b/conformance_pack/acm.sp index 66a35452..4c3ecc73 100644 --- a/conformance_pack/acm.sp +++ b/conformance_pack/acm.sp @@ -14,6 +14,7 @@ control "acm_certificate_expires_30_days" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" diff --git a/conformance_pack/apigateway.sp b/conformance_pack/apigateway.sp index 4bfd228f..017f1218 100644 --- a/conformance_pack/apigateway.sp +++ b/conformance_pack/apigateway.sp @@ -14,6 +14,7 @@ control "apigateway_stage_cache_encryption_at_rest_enabled" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) @@ -28,6 +29,7 @@ control "apigateway_stage_logging_enabled" { fedramp = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" @@ -41,6 +43,7 @@ control "apigateway_rest_api_stage_use_ssl_certificate" { tags = merge(local.conformance_pack_apigateway_common_tags, { fedramp = "true" + nist_800_53_rev_5 = "true" rbi_cyber_security = "true" }) } @@ -52,6 +55,8 @@ control "apigateway_stage_use_waf_web_acl" { tags = merge(local.conformance_pack_apigateway_common_tags, { fedramp = "true" + nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" rbi_cyber_security = "true" }) } \ No newline at end of file diff --git a/conformance_pack/autoscaling.sp b/conformance_pack/autoscaling.sp index 085a3cb3..da86484e 100644 --- a/conformance_pack/autoscaling.sp +++ b/conformance_pack/autoscaling.sp @@ -13,6 +13,7 @@ control "autoscaling_group_with_lb_use_health_check" { fedramp = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" }) } @@ -24,6 +25,7 @@ control "autoscaling_launch_config_public_ip_disabled" { tags = merge(local.conformance_pack_autoscaling_common_tags, { fedramp = "true" + nist_800_53_rev_5 = "true" rbi_cyber_security = "true" }) } \ No newline at end of file diff --git a/conformance_pack/cloudtrail.sp b/conformance_pack/cloudtrail.sp index e049c6be..69837062 100644 --- a/conformance_pack/cloudtrail.sp +++ b/conformance_pack/cloudtrail.sp @@ -14,6 +14,7 @@ control "cloudtrail_trail_integrated_with_logs" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" @@ -30,6 +31,7 @@ control "cloudtrail_s3_data_events_enabled" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" @@ -46,6 +48,7 @@ control "cloudtrail_trail_logs_encrypted_with_kms_cmk" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) @@ -60,6 +63,7 @@ control "cloudtrail_multi_region_trail_enabled" { fedramp = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" @@ -76,6 +80,7 @@ control "cloudtrail_trail_validation_enabled" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" soc_2 = "true" }) } @@ -89,6 +94,7 @@ control "cloudtrail_trail_enabled" { fedramp = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" diff --git a/conformance_pack/cloudwatch.sp b/conformance_pack/cloudwatch.sp index 3429c94c..68ea3be5 100644 --- a/conformance_pack/cloudwatch.sp +++ b/conformance_pack/cloudwatch.sp @@ -13,6 +13,7 @@ control "cloudwatch_alarm_action_enabled" { fedramp = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" soc_2 = "true" }) @@ -27,6 +28,7 @@ control "log_group_encryption_at_rest_enabled" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" @@ -42,6 +44,7 @@ control "cloudwatch_log_group_retention_period_365" { fedramp = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" rbi_cyber_security = "true" soc_2 = "true" }) diff --git a/conformance_pack/dms.sp b/conformance_pack/dms.sp index 2fbc2b4f..449d9eb8 100644 --- a/conformance_pack/dms.sp +++ b/conformance_pack/dms.sp @@ -13,6 +13,7 @@ control "dms_replication_instance_not_publicly_accessible" { fedramp = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) diff --git a/conformance_pack/dynamodb.sp b/conformance_pack/dynamodb.sp index fed55b3d..dca00442 100644 --- a/conformance_pack/dynamodb.sp +++ b/conformance_pack/dynamodb.sp @@ -13,6 +13,7 @@ control "dynamodb_table_auto_scaling_enabled" { fedramp = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" }) } @@ -26,6 +27,7 @@ control "dynamodb_table_point_in_time_recovery_enabled" { fedramp = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" @@ -41,6 +43,7 @@ control "dynamodb_table_encrypted_with_kms_cmk" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" rbi_cyber_security = "true" }) } @@ -53,6 +56,7 @@ control "dynamodb_table_in_backup_plan" { tags = merge(local.conformance_pack_dynamodb_common_tags, { hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" diff --git a/conformance_pack/ebs.sp b/conformance_pack/ebs.sp index 1a585ec2..54f60fe7 100644 --- a/conformance_pack/ebs.sp +++ b/conformance_pack/ebs.sp @@ -13,6 +13,7 @@ control "ebs_snapshot_not_publicly_restorable" { fedramp = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) @@ -26,6 +27,7 @@ control "ebs_volume_encryption_at_rest_enabled" { tags = merge(local.conformance_pack_ebs_common_tags, { gdpr = "true" hipaa = "true" + nist_800_53_rev_5 = "true" rbi_cyber_security = "true" }) } @@ -40,6 +42,7 @@ control "ebs_attached_volume_encryption_enabled" { hipaa = "true" gdpr = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) @@ -53,6 +56,7 @@ control "ebs_volume_in_backup_plan" { tags = merge(local.conformance_pack_ebs_common_tags, { hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" @@ -91,6 +95,6 @@ control "ebs_volume_unsued" { sql = query.ebs_volume_unsued.sql tags = merge(local.conformance_pack_ebs_common_tags, { - fedramp = "true" - }) + fedramp = "true" + nist_800_53_rev_4 = "true" } From 8b59ab657b8f627e3d37422cec841b6986f80b1d Mon Sep 17 00:00:00 2001 From: Khushboo Date: Wed, 25 May 2022 20:20:17 +0530 Subject: [PATCH 06/20] added tags --- conformance_pack/ebs.sp | 2 ++ conformance_pack/ec2.sp | 8 ++++- conformance_pack/ecs.sp | 3 +- conformance_pack/efs.sp | 2 ++ conformance_pack/elasticache.sp | 1 + conformance_pack/elasticbeanstalk.sp | 1 + conformance_pack/elb.sp | 14 ++++++-- conformance_pack/emr.sp | 1 + conformance_pack/es.sp | 4 +++ conformance_pack/guardduty.sp | 2 ++ conformance_pack/iam.sp | 19 ++++++++-- conformance_pack/kms.sp | 2 ++ conformance_pack/lambda.sp | 18 ++++++---- conformance_pack/rds.sp | 23 ++++++++---- conformance_pack/redshift.sp | 6 ++++ conformance_pack/s3.sp | 13 ++++++- conformance_pack/sagemaker.sp | 3 ++ conformance_pack/secretsmanager.sp | 6 ++-- conformance_pack/securityhub.sp | 1 + conformance_pack/sns.sp | 1 + conformance_pack/ssm.sp | 3 ++ conformance_pack/vpc.sp | 14 ++++++-- conformance_pack/wafv2.sp | 1 + .../docs/nist_800_53_rev_5_overview.md | 8 +++++ nist_800_53_rev_5/sa.sp | 35 +++++++++++++++++++ 25 files changed, 164 insertions(+), 27 deletions(-) create mode 100644 nist_800_53_rev_5/docs/nist_800_53_rev_5_overview.md create mode 100644 nist_800_53_rev_5/sa.sp diff --git a/conformance_pack/ebs.sp b/conformance_pack/ebs.sp index 54f60fe7..feca01b7 100644 --- a/conformance_pack/ebs.sp +++ b/conformance_pack/ebs.sp @@ -97,4 +97,6 @@ control "ebs_volume_unsued" { tags = merge(local.conformance_pack_ebs_common_tags, { fedramp = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" + }) } diff --git a/conformance_pack/ec2.sp b/conformance_pack/ec2.sp index fad14fa1..f3bca1da 100644 --- a/conformance_pack/ec2.sp +++ b/conformance_pack/ec2.sp @@ -10,7 +10,8 @@ control "ec2_ebs_default_encryption_enabled" { sql = query.ec2_ebs_default_encryption_enabled.sql tags = merge(local.conformance_pack_ec2_common_tags, { - hipaa = "true" + hipaa = "true" + nist_800_53_rev_5 = "true" }) } @@ -36,6 +37,7 @@ control "ec2_instance_in_vpc" { fedramp = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) @@ -50,6 +52,7 @@ control "ec2_instance_not_publicly_accessible" { fedramp = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" @@ -65,6 +68,7 @@ control "ec2_stopped_instance_30_days" { fedramp = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" }) } @@ -78,6 +82,7 @@ control "ec2_instance_ebs_optimized" { fedramp = "true" hipaa = "true" nist_csf = "true" + nist_800_53_rev_5 = "true" soc_2 = "true" }) } @@ -91,6 +96,7 @@ control "ec2_instance_uses_imdsv2" { fedramp = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" }) } diff --git a/conformance_pack/ecs.sp b/conformance_pack/ecs.sp index cf0fb404..a841e230 100644 --- a/conformance_pack/ecs.sp +++ b/conformance_pack/ecs.sp @@ -10,7 +10,8 @@ control "ecs_task_definition_user_for_host_mode_check" { sql = query.ecs_task_definition_user_for_host_mode_check.sql tags = merge(local.conformance_pack_ecs_common_tags, { - fedramp = "true" + fedramp = "true" + nist_800_53_rev_5 = "true" }) } diff --git a/conformance_pack/efs.sp b/conformance_pack/efs.sp index 69786f24..7d702011 100644 --- a/conformance_pack/efs.sp +++ b/conformance_pack/efs.sp @@ -13,6 +13,7 @@ control "efs_file_system_encrypt_data_at_rest" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) @@ -26,6 +27,7 @@ control "efs_file_system_in_backup_plan" { tags = merge(local.conformance_pack_efs_common_tags, { hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" diff --git a/conformance_pack/elasticache.sp b/conformance_pack/elasticache.sp index aaa65bbe..8195ad57 100644 --- a/conformance_pack/elasticache.sp +++ b/conformance_pack/elasticache.sp @@ -13,6 +13,7 @@ control "elasticache_redis_cluster_automatic_backup_retention_15_days" { fedramp = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" diff --git a/conformance_pack/elasticbeanstalk.sp b/conformance_pack/elasticbeanstalk.sp index 21cb2f72..71b4b563 100644 --- a/conformance_pack/elasticbeanstalk.sp +++ b/conformance_pack/elasticbeanstalk.sp @@ -10,5 +10,6 @@ control "elastic_beanstalk_enhanced_health_reporting_enabled" { tags = merge(local.conformance_pack_elasticbeanstalk_common_tags, { fedramp = "true" + nist_800_53_rev_5 = "true" }) } \ No newline at end of file diff --git a/conformance_pack/elb.sp b/conformance_pack/elb.sp index 8ffa42f2..69aad608 100644 --- a/conformance_pack/elb.sp +++ b/conformance_pack/elb.sp @@ -13,6 +13,7 @@ control "elb_application_classic_lb_logging_enabled" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" @@ -25,9 +26,10 @@ control "elb_application_lb_deletion_protection_enabled" { sql = query.elb_application_lb_deletion_protection_enabled.sql tags = merge(local.conformance_pack_elb_common_tags, { - fedramp = "true" - hipaa = "true" - nist_csf = "true" + fedramp = "true" + hipaa = "true" + nist_csf = "true" + nist_800_53_rev_5 = "true" }) } @@ -41,6 +43,7 @@ control "elb_application_lb_redirect_http_request_to_https" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) @@ -54,6 +57,7 @@ control "elb_application_lb_waf_enabled" { tags = merge(local.conformance_pack_elb_common_tags, { fedramp = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) @@ -68,6 +72,7 @@ control "elb_classic_lb_use_ssl_certificate" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) @@ -97,6 +102,7 @@ control "elb_classic_lb_use_tls_https_listeners" { hipaa = "true" gdpr = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" rbi_cyber_security = "true" }) } @@ -109,6 +115,7 @@ control "elb_classic_lb_cross_zone_load_balancing_enabled" { tags = merge(local.conformance_pack_elb_common_tags, { fedramp = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" }) } @@ -120,6 +127,7 @@ control "elb_application_network_lb_use_ssl_certificate" { tags = merge(local.conformance_pack_elb_common_tags, { fedramp = "true" + nist_800_53_rev_5 = "true" rbi_cyber_security = "true" }) } \ No newline at end of file diff --git a/conformance_pack/emr.sp b/conformance_pack/emr.sp index 944b0aad..2c2b2eeb 100644 --- a/conformance_pack/emr.sp +++ b/conformance_pack/emr.sp @@ -25,6 +25,7 @@ control "emr_cluster_master_nodes_no_public_ip" { fedramp = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) diff --git a/conformance_pack/es.sp b/conformance_pack/es.sp index cff32b3f..271aec2f 100644 --- a/conformance_pack/es.sp +++ b/conformance_pack/es.sp @@ -13,6 +13,7 @@ control "es_domain_encryption_at_rest_enabled" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) @@ -27,6 +28,7 @@ control "es_domain_in_vpc" { fedramp = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) @@ -42,6 +44,7 @@ control "es_domain_node_to_node_encryption_enabled" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" rbi_cyber_security = "true" }) } @@ -53,6 +56,7 @@ control "es_domain_logs_to_cloudwatch" { tags = merge(local.conformance_pack_es_common_tags, { fedramp = "true" + nist_800_53_rev_5 = "true" rbi_cyber_security = "true" }) } \ No newline at end of file diff --git a/conformance_pack/guardduty.sp b/conformance_pack/guardduty.sp index d12a01d8..baf4f708 100644 --- a/conformance_pack/guardduty.sp +++ b/conformance_pack/guardduty.sp @@ -13,6 +13,7 @@ control "guardduty_enabled" { fedramp = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" soc_2 = "true" }) @@ -27,6 +28,7 @@ control "guardduty_finding_archived" { fedramp = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" diff --git a/conformance_pack/iam.sp b/conformance_pack/iam.sp index 963866e3..d8886157 100644 --- a/conformance_pack/iam.sp +++ b/conformance_pack/iam.sp @@ -46,6 +46,7 @@ control "iam_policy_no_star_star" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" @@ -62,6 +63,7 @@ control "iam_root_user_no_access_keys" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) @@ -77,6 +79,7 @@ control "iam_root_user_hardware_mfa_enabled" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" }) } @@ -92,6 +95,7 @@ control "iam_root_user_mfa_enabled" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" }) } @@ -106,6 +110,7 @@ control "iam_user_access_key_age_90" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" }) } @@ -121,6 +126,7 @@ control "iam_user_console_access_mfa_enabled" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" }) } @@ -135,6 +141,7 @@ control "iam_user_mfa_enabled" { fedramp = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" }) } @@ -149,6 +156,7 @@ control "iam_user_no_inline_attached_policies" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" @@ -165,6 +173,7 @@ control "iam_user_unused_credentials_90" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" soc_2 = "true" }) @@ -179,6 +188,7 @@ control "iam_user_in_group" { fedramp = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" soc_2 = "true" }) @@ -193,6 +203,7 @@ control "iam_group_user_role_no_inline_policies" { fedramp = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" rbi_cyber_security = "true" soc_2 = "true" }) @@ -214,9 +225,10 @@ control "iam_account_password_policy_min_length_14" { sql = query.iam_account_password_policy_min_length_14.sql tags = merge(local.conformance_pack_iam_common_tags, { - fedramp = "true" - gdpr = "true" - hipaa = "true" + fedramp = "true" + gdpr = "true" + hipaa = "true" + nist_800_53_rev_5 = "true" }) } @@ -303,6 +315,7 @@ control "iam_all_policy_no_service_wild_card" { tags = merge(local.conformance_pack_iam_common_tags, { fedramp = "true" + nist_800_53_rev_5 = "true" rbi_cyber_security = "true" }) } diff --git a/conformance_pack/kms.sp b/conformance_pack/kms.sp index 58e3fcff..b9434c13 100644 --- a/conformance_pack/kms.sp +++ b/conformance_pack/kms.sp @@ -13,6 +13,7 @@ control "kms_key_not_pending_deletion" { fedramp = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) @@ -28,6 +29,7 @@ control "kms_cmk_rotation_enabled" { hippa = "true" gdpr = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" rbi_cyber_security = "true" }) } diff --git a/conformance_pack/lambda.sp b/conformance_pack/lambda.sp index 6c96a6b8..e3ac0521 100644 --- a/conformance_pack/lambda.sp +++ b/conformance_pack/lambda.sp @@ -10,10 +10,11 @@ control "lambda_function_dead_letter_queue_configured" { sql = query.lambda_function_dead_letter_queue_configured.sql tags = merge(local.conformance_pack_lambda_common_tags, { - fedramp = "true" - hipaa = "true" - nist_csf = "true" - soc_2 = "true" + fedramp = "true" + hipaa = "true" + nist_csf = "true" + nist_800_53_rev_5 = "true" + soc_2 = "true" }) } @@ -26,6 +27,7 @@ control "lambda_function_in_vpc" { hipaa = "true" fedramp = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) @@ -40,6 +42,7 @@ control "lambda_function_restrict_public_access" { hipaa = "true" fedramp = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) @@ -51,8 +54,9 @@ control "lambda_function_concurrent_execution_limit_configured" { sql = query.lambda_function_concurrent_execution_limit_configured.sql tags = merge(local.conformance_pack_lambda_common_tags, { - fedramp = "true" - nist_csf = "true" - soc_2 = "true" + fedramp = "true" + nist_csf = "true" + nist_800_53_rev_5 = "true" + soc_2 = "true" }) } diff --git a/conformance_pack/rds.sp b/conformance_pack/rds.sp index c8658fba..f141873e 100644 --- a/conformance_pack/rds.sp +++ b/conformance_pack/rds.sp @@ -13,6 +13,7 @@ control "rds_db_instance_backup_enabled" { fedramp = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" @@ -28,6 +29,7 @@ control "rds_db_instance_encryption_at_rest_enabled" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) @@ -42,6 +44,7 @@ control "rds_db_instance_multiple_az_enabled" { fedramp = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" }) } @@ -56,6 +59,7 @@ control "rds_db_instance_prohibit_public_access" { fedramp = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" @@ -72,6 +76,7 @@ control "rds_db_snapshot_encrypted_at_rest" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" rbi_cyber_security = "true" }) } @@ -86,6 +91,7 @@ control "rds_db_snapshot_prohibit_public_access" { fedramp = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) @@ -100,6 +106,7 @@ control "rds_db_instance_logging_enabled" { fedramp = "true" gdpr = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" rbi_cyber_security = "true" soc_2 = "true" }) @@ -114,6 +121,7 @@ control "rds_db_instance_in_backup_plan" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" @@ -126,8 +134,9 @@ control "rds_db_instance_and_cluster_enhanced_monitoring_enabled" { sql = query.rds_db_instance_and_cluster_enhanced_monitoring_enabled.sql tags = merge(local.conformance_pack_rds_common_tags, { - fedramp = "true" - nist_csf = "true" + fedramp = "true" + nist_csf = "true" + nist_800_53_rev_5 = "true" }) } @@ -139,6 +148,7 @@ control "rds_db_instance_deletion_protection_enabled" { tags = merge(local.conformance_pack_rds_common_tags, { fedramp = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" soc_2 = "true" }) } @@ -172,10 +182,11 @@ control "rds_db_instance_protected_by_backup_plan" { sql = query.rds_db_instance_protected_by_backup_plan.sql tags = merge(local.conformance_pack_rds_common_tags, { - fedramp = "true" - hipaa = "true" - nist_csf = "true" - soc_2 = "true" + fedramp = "true" + hipaa = "true" + nist_csf = "true" + nist_800_53_rev_5 = "true" + soc_2 = "true" }) } diff --git a/conformance_pack/redshift.sp b/conformance_pack/redshift.sp index 0fdf4be1..fcb70493 100644 --- a/conformance_pack/redshift.sp +++ b/conformance_pack/redshift.sp @@ -14,6 +14,7 @@ control "redshift_cluster_encryption_in_transit_enabled" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) @@ -29,6 +30,7 @@ control "redshift_cluster_encryption_logging_enabled" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" @@ -44,6 +46,7 @@ control "redshift_cluster_prohibit_public_access" { fedramp = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) @@ -59,6 +62,7 @@ control "redshift_cluster_automatic_snapshots_min_7_days" { gdpr = "true" hipaa = "true" nist_csf = "true" + nist_800_53_rev_5 = "true" rbi_cyber_security = "true" sco_2 = "true" }) @@ -71,6 +75,7 @@ control "redshift_cluster_kms_enabled" { tags = merge(local.conformance_pack_redshift_common_tags, { fedramp = "true" + nist_800_53_rev_5 = "true" rbi_cyber_security = "true" }) } @@ -81,6 +86,7 @@ control "redshift_cluster_maintenance_settings_check" { sql = query.redshift_cluster_maintenance_settings_check.sql tags = merge(local.conformance_pack_redshift_common_tags, { + nist_800_53_rev_5 = "true" rbi_cyber_security = "true" }) } \ No newline at end of file diff --git a/conformance_pack/s3.sp b/conformance_pack/s3.sp index 23c62576..7a863deb 100644 --- a/conformance_pack/s3.sp +++ b/conformance_pack/s3.sp @@ -13,6 +13,7 @@ control "s3_bucket_cross_region_replication_enabled" { fedramp = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" @@ -28,6 +29,7 @@ control "s3_bucket_default_encryption_enabled" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) @@ -43,6 +45,7 @@ control "s3_bucket_enforces_ssl" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) @@ -57,6 +60,7 @@ control "s3_bucket_logging_enabled" { fedramp = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" @@ -86,6 +90,7 @@ control "s3_bucket_restrict_public_read_access" { fedramp = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" @@ -102,6 +107,7 @@ control "s3_bucket_restrict_public_write_access" { fedramp = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) @@ -117,6 +123,8 @@ control "s3_bucket_versioning_enabled" { fedramp = "true" hipaa = "true" nist_csf = "true" + nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" rbi_cyber_security = "true" soc_2 = "true" }) @@ -131,6 +139,7 @@ control "s3_public_access_block_account" { fedramp = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" }) } @@ -158,6 +167,7 @@ control "s3_bucket_default_encryption_enabled_kms" { fedramp = "true" gdpr = "true" hipaa = "true" + nist_800_53_rev_5 = "true" rbi_cyber_security = "true" }) } @@ -168,7 +178,8 @@ control "s3_public_access_block_bucket" { sql = query.s3_public_access_block_bucket.sql tags = merge(local.conformance_pack_s3_common_tags, { - fedramp = "true" + fedramp = "true" + nist_800_53_rev_5 = "true" }) } diff --git a/conformance_pack/sagemaker.sp b/conformance_pack/sagemaker.sp index 0a1aaff4..2327ac96 100644 --- a/conformance_pack/sagemaker.sp +++ b/conformance_pack/sagemaker.sp @@ -13,6 +13,7 @@ control "sagemaker_notebook_instance_direct_internet_access_disabled" { fedramp = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) @@ -28,6 +29,7 @@ control "sagemaker_notebook_instance_encryption_at_rest_enabled" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) @@ -43,6 +45,7 @@ control "sagemaker_endpoint_configuration_encryption_at_rest_enabled" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) diff --git a/conformance_pack/secretsmanager.sp b/conformance_pack/secretsmanager.sp index 4840206a..3f3cff2e 100644 --- a/conformance_pack/secretsmanager.sp +++ b/conformance_pack/secretsmanager.sp @@ -10,8 +10,9 @@ control "secretsmanager_secret_automatic_rotation_enabled" { sql = query.secretsmanager_secret_automatic_rotation_enabled.sql tags = merge(local.conformance_pack_secretsmanager_common_tags, { - hipaa = "true" - nist_csf = "true" + hipaa = "true" + nist_csf = "true" + nist_800_53_rev_5 = "true" }) } @@ -22,6 +23,7 @@ control "secretsmanager_secret_rotated_as_scheduled" { tags = merge(local.conformance_pack_secretsmanager_common_tags, { nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" }) } diff --git a/conformance_pack/securityhub.sp b/conformance_pack/securityhub.sp index 77bdee47..a0f2d17a 100644 --- a/conformance_pack/securityhub.sp +++ b/conformance_pack/securityhub.sp @@ -13,6 +13,7 @@ control "securityhub_enabled" { fedramp = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" diff --git a/conformance_pack/sns.sp b/conformance_pack/sns.sp index 4aefd546..69d3a701 100644 --- a/conformance_pack/sns.sp +++ b/conformance_pack/sns.sp @@ -14,6 +14,7 @@ control "sns_topic_encrypted_at_rest" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) diff --git a/conformance_pack/ssm.sp b/conformance_pack/ssm.sp index f8bc15ab..d225bfdc 100644 --- a/conformance_pack/ssm.sp +++ b/conformance_pack/ssm.sp @@ -13,6 +13,7 @@ control "ec2_instance_ssm_managed" { hipaa = "true" fedramp = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" @@ -28,6 +29,7 @@ control "ssm_managed_instance_compliance_association_compliant" { fedramp = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" @@ -43,6 +45,7 @@ control "ssm_managed_instance_compliance_patch_compliant" { fedramp = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" rbi_cyber_security = "true" soc_2 = "true" }) diff --git a/conformance_pack/vpc.sp b/conformance_pack/vpc.sp index 81ff5c81..967b7cf2 100644 --- a/conformance_pack/vpc.sp +++ b/conformance_pack/vpc.sp @@ -14,6 +14,7 @@ control "vpc_flow_logs_enabled" { gdpr = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" @@ -42,6 +43,7 @@ control "vpc_security_group_restrict_ingress_tcp_udp_all" { fedramp = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) @@ -57,6 +59,7 @@ control "vpc_security_group_restrict_ingress_common_ports_all" { fedramp = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) @@ -72,6 +75,7 @@ control "vpc_security_group_restrict_ingress_ssh_all" { fedramp = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" @@ -86,6 +90,7 @@ control "vpc_default_security_group_restricts_all_traffic" { tags = merge(local.conformance_pack_vpc_common_tags, { fedramp = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" }) @@ -97,9 +102,10 @@ control "vpc_vpn_tunnel_up" { sql = query.vpc_vpn_tunnel_up.sql tags = merge(local.conformance_pack_vpc_common_tags, { - fedramp = "true" - hipaa = "true" - nist_csf = "true" + fedramp = "true" + hipaa = "true" + nist_csf = "true" + nist_800_53_rev_5 = "true" }) } @@ -131,6 +137,7 @@ control "vpc_subnet_auto_assign_public_ip_disabled" { tags = merge(local.conformance_pack_vpc_common_tags, { fedramp = "true" nist_csf = "true" + nist_800_53_rev_5 = "true" rbi_cyber_security = "true" }) } @@ -142,6 +149,7 @@ control "vpc_route_table_restrict_public_access_to_igw" { tags = merge(local.conformance_pack_vpc_common_tags, { fedramp = "true" + nist_800_53_rev_5 = "true" rbi_cyber_security = "true" }) } diff --git a/conformance_pack/wafv2.sp b/conformance_pack/wafv2.sp index 1c0d8be1..87201562 100644 --- a/conformance_pack/wafv2.sp +++ b/conformance_pack/wafv2.sp @@ -14,6 +14,7 @@ control "wafv2_web_acl_logging_enabled" { hipaa = "true" gdpr = "true" nist_800_53_rev_4 = "true" + nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" soc_2 = "true" diff --git a/nist_800_53_rev_5/docs/nist_800_53_rev_5_overview.md b/nist_800_53_rev_5/docs/nist_800_53_rev_5_overview.md new file mode 100644 index 00000000..761d7f2c --- /dev/null +++ b/nist_800_53_rev_5/docs/nist_800_53_rev_5_overview.md @@ -0,0 +1,8 @@ +To obtain the latest version of the official guide, please visit https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final. + +## Overview + +NIST 800-53 is a regulatory standard that defines the minimum baseline of +security controls for all U.S. federal information systems except those related +to national security. The controls defined in this standard are customizable +and address a diverse set of security and privacy requirements. diff --git a/nist_800_53_rev_5/sa.sp b/nist_800_53_rev_5/sa.sp new file mode 100644 index 00000000..0fdf3d78 --- /dev/null +++ b/nist_800_53_rev_5/sa.sp @@ -0,0 +1,35 @@ +benchmark "nist_800_53_rev_5_sa" { + title = "System and Services Acquisition (SA)" + description = "The SA control family correlates with controls that protect allocated resources and an organization’s system development life cycle. This includes information system documentation controls, development configuration management controls, and developer security testing and evaluation controls." + children = [ + benchmark.nist_800_53_rev_5_sa_3, + benchmark.nist_800_53_rev_5_sa_10 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sa_3" { + title = "System Development Life Cycle (SA-3)" + description = "The organization manages the information system using organization-defined system development life cycle, defines and documents information security roles and responsibilities throughout the system development life cycle, identifies individuals having information security roles and responsibilities and integrates the organizational information security risk management process into system development life cycle activities." + children = [ + control.codebuild_project_plaintext_env_variables_no_sensitive_aws_values, + control.codebuild_project_source_repo_oauth_configured, + control.ec2_instance_ssm_managed + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sa_10" { + title = "Developer Configuration Management (SA-10)" + description = "The organization requires the developer of the information system, system component, or information system service to: a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation]; b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management]; c. Implement only organization-approved changes to the system, component, or service; d. Document approved changes to the system, component, or service and the potential security impacts of such changes; and e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel]." + children = [ + control.ec2_instance_ssm_managed, + control.guardduty_enabled, + control.guardduty_finding_archived, + control.securityhub_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} From 98c244e22ea7471a17606c8320b5650361c5ae26 Mon Sep 17 00:00:00 2001 From: Khushboo Date: Thu, 26 May 2022 14:06:12 +0530 Subject: [PATCH 07/20] update --- conformance_pack/redshift.sp | 10 +++ conformance_pack/secretsmanager.sp | 10 +++ nist_800_53_rev_5/ac.sp | 24 ++++++ nist_800_53_rev_5/au.sp | 9 +- nist_800_53_rev_5/cm.sp | 8 +- nist_800_53_rev_5/cp.sp | 3 +- nist_800_53_rev_5/ia.sp | 1 + nist_800_53_rev_5/nist_800_53_rev_5.sp | 2 +- nist_800_53_rev_5/sa.sp | 86 ++++++++++++++++--- nist_800_53_rev_5/sc.sp | 4 + nist_800_53_rev_5/si.sp | 3 +- .../secretsmanager_secret_unused_90_day.sql | 18 ++++ 12 files changed, 158 insertions(+), 20 deletions(-) create mode 100644 query/secretsmanager/secretsmanager_secret_unused_90_day.sql diff --git a/conformance_pack/redshift.sp b/conformance_pack/redshift.sp index fcb70493..432d97cc 100644 --- a/conformance_pack/redshift.sp +++ b/conformance_pack/redshift.sp @@ -89,4 +89,14 @@ control "redshift_cluster_maintenance_settings_check" { nist_800_53_rev_5 = "true" rbi_cyber_security = "true" }) +} + +control "redshift_cluster_enhanced_vpc_routing_enabled" { + title = "Amazon Redshift enhanced VPC routing should be enabled" + description = "Ensure if Amazon Redshift cluster has 'enhancedVpcRouting' enabled. The rule is non compliant if 'enhancedVpcRouting' is not enabled or if the configuration.enhancedVpcRouting field is 'false'." + sql = query.redshift_cluster_enhanced_vpc_routing_enabled.sql + + tags = merge(local.conformance_pack_redshift_common_tags, { + nist_800_53_rev_5 = "true" + }) } \ No newline at end of file diff --git a/conformance_pack/secretsmanager.sp b/conformance_pack/secretsmanager.sp index 3f3cff2e..d97b7644 100644 --- a/conformance_pack/secretsmanager.sp +++ b/conformance_pack/secretsmanager.sp @@ -27,3 +27,13 @@ control "secretsmanager_secret_rotated_as_scheduled" { nist_csf = "true" }) } + +control "secretsmanager_secret_unused_90_day" { + title = "Secrets Manager secrets should be rotated as per the rotation schedule" + description = "Ensure if AWS Secrets Manager secrets have been accessed within a specified number of days. The rule is non compiant if a secret has not been accessed in ‘unusedForDays’ number of days. The default value is 90 days." + sql = query.secretsmanager_secret_unused_90_day.sql + + tags = merge(local.conformance_pack_secretsmanager_common_tags, { + nist_800_53_rev_5 = "true" + }) +} \ No newline at end of file diff --git a/nist_800_53_rev_5/ac.sp b/nist_800_53_rev_5/ac.sp index 410e9102..39c47970 100644 --- a/nist_800_53_rev_5/ac.sp +++ b/nist_800_53_rev_5/ac.sp @@ -85,6 +85,7 @@ benchmark "nist_800_53_rev_5_ac_2_1" { control.iam_user_access_key_age_90, control.iam_account_password_policy_min_length_14, control.iam_policy_no_star_star, + control.secretsmanager_secret_unused_90_day, control.iam_root_user_no_access_keys, control.iam_user_in_group, control.iam_user_mfa_enabled, @@ -307,6 +308,7 @@ benchmark "nist_800_53_rev_5_ac_3_3" { children = [ control.ec2_instance_uses_imdsv2, control.iam_group_user_role_no_inline_policies, + control.secretsmanager_secret_unused_90_day, control.iam_user_access_key_age_90, control.iam_account_password_policy_min_length_14, control.iam_policy_no_star_star, @@ -341,6 +343,7 @@ benchmark "nist_800_53_rev_5_ac_3_3_a" { control.iam_group_user_role_no_inline_policies, control.iam_user_access_key_age_90, control.iam_account_password_policy_min_length_14, + control.secretsmanager_secret_unused_90_day, control.iam_policy_no_star_star, control.iam_root_user_no_access_keys, control.iam_user_in_group, @@ -365,6 +368,7 @@ benchmark "nist_800_53_rev_5_ac_3_3_b_1" { control.ec2_instance_uses_imdsv2, control.iam_group_user_role_no_inline_policies, control.iam_user_access_key_age_90, + control.secretsmanager_secret_unused_90_day, control.iam_account_password_policy_min_length_14, control.iam_policy_no_star_star, control.iam_root_user_no_access_keys, @@ -390,6 +394,7 @@ benchmark "nist_800_53_rev_5_ac_3_3_b_2" { control.ec2_instance_uses_imdsv2, control.iam_group_user_role_no_inline_policies, control.iam_user_access_key_age_90, + control.secretsmanager_secret_unused_90_day, control.iam_account_password_policy_min_length_14, control.iam_policy_no_star_star, control.iam_root_user_no_access_keys, @@ -417,6 +422,7 @@ benchmark "nist_800_53_rev_5_ac_3_3_b_3" { control.iam_user_access_key_age_90, control.iam_account_password_policy_min_length_14, control.iam_policy_no_star_star, + control.secretsmanager_secret_unused_90_day, control.iam_root_user_no_access_keys, control.iam_user_in_group, control.iam_user_mfa_enabled, @@ -442,6 +448,7 @@ benchmark "nist_800_53_rev_5_ac_3_3_b_4" { control.iam_user_access_key_age_90, control.iam_account_password_policy_min_length_14, control.iam_policy_no_star_star, + control.secretsmanager_secret_unused_90_day, control.iam_root_user_no_access_keys, control.iam_user_in_group, control.iam_user_mfa_enabled, @@ -465,6 +472,7 @@ benchmark "nist_800_53_rev_5_ac_3_3_b_5" { control.ec2_instance_uses_imdsv2, control.iam_group_user_role_no_inline_policies, control.iam_user_access_key_age_90, + control.secretsmanager_secret_unused_90_day, control.iam_account_password_policy_min_length_14, control.iam_policy_no_star_star, control.iam_root_user_no_access_keys, @@ -490,6 +498,7 @@ benchmark "nist_800_53_rev_5_ac_3_3_c" { control.ec2_instance_uses_imdsv2, control.iam_group_user_role_no_inline_policies, control.iam_user_access_key_age_90, + control.secretsmanager_secret_unused_90_day, control.iam_account_password_policy_min_length_14, control.iam_policy_no_star_star, control.iam_root_user_no_access_keys, @@ -515,6 +524,7 @@ benchmark "nist_800_53_rev_5_ac_3_4" { control.ec2_instance_uses_imdsv2, control.iam_group_user_role_no_inline_policies, control.iam_user_access_key_age_90, + control.secretsmanager_secret_unused_90_day, control.iam_account_password_policy_min_length_14, control.iam_policy_no_star_star, control.iam_root_user_no_access_keys, @@ -544,6 +554,7 @@ benchmark "nist_800_53_rev_5_ac_3_4_a" { children = [ control.ec2_instance_uses_imdsv2, control.iam_group_user_role_no_inline_policies, + control.secretsmanager_secret_unused_90_day, control.iam_user_access_key_age_90, control.iam_account_password_policy_min_length_14, control.iam_policy_no_star_star, @@ -568,6 +579,7 @@ benchmark "nist_800_53_rev_5_ac_3_4_b" { children = [ control.ec2_instance_uses_imdsv2, control.iam_group_user_role_no_inline_policies, + control.secretsmanager_secret_unused_90_day, control.iam_user_access_key_age_90, control.iam_account_password_policy_min_length_14, control.iam_policy_no_star_star, @@ -594,6 +606,7 @@ benchmark "nist_800_53_rev_5_ac_3_4_c" { children = [ control.ec2_instance_uses_imdsv2, control.iam_group_user_role_no_inline_policies, + control.secretsmanager_secret_unused_90_day, control.iam_user_access_key_age_90, control.iam_account_password_policy_min_length_14, control.iam_policy_no_star_star, @@ -622,6 +635,7 @@ benchmark "nist_800_53_rev_5_ac_3_4_d" { control.iam_group_user_role_no_inline_policies, control.iam_user_access_key_age_90, control.iam_account_password_policy_min_length_14, + control.secretsmanager_secret_unused_90_day, control.iam_policy_no_star_star, control.iam_root_user_no_access_keys, control.iam_user_in_group, @@ -648,6 +662,7 @@ benchmark "nist_800_53_rev_5_ac_3_4_e" { control.iam_group_user_role_no_inline_policies, control.iam_user_access_key_age_90, control.iam_account_password_policy_min_length_14, + control.secretsmanager_secret_unused_90_day, control.iam_policy_no_star_star, control.iam_root_user_no_access_keys, control.iam_user_in_group, @@ -706,6 +721,7 @@ benchmark "nist_800_53_rev_5_ac_3_8" { control.iam_group_user_role_no_inline_policies, control.iam_user_access_key_age_90, control.iam_account_password_policy_min_length_14, + control.secretsmanager_secret_unused_90_day, control.iam_policy_no_star_star, control.iam_root_user_no_access_keys, control.iam_user_in_group, @@ -758,6 +774,7 @@ benchmark "nist_800_53_rev_5_ac_3_12_a" { control.iam_group_user_role_no_inline_policies, control.iam_user_access_key_age_90, control.iam_account_password_policy_min_length_14, + control.secretsmanager_secret_unused_90_day, control.iam_policy_no_star_star, control.iam_root_user_no_access_keys, control.iam_user_in_group, @@ -792,6 +809,7 @@ benchmark "nist_800_53_rev_5_ac_3_13" { control.iam_group_user_role_no_inline_policies, control.iam_user_access_key_age_90, control.iam_account_password_policy_min_length_14, + control.secretsmanager_secret_unused_90_day, control.iam_policy_no_star_star, control.iam_root_user_no_access_keys, control.iam_user_in_group, @@ -831,6 +849,7 @@ benchmark "nist_800_53_rev_5_ac_3_15_a" { control.iam_root_user_no_access_keys, control.iam_user_in_group, control.iam_user_mfa_enabled, + control.secretsmanager_secret_unused_90_day, control.iam_user_no_inline_attached_policies, control.iam_user_unused_credentials_90, control.iam_user_console_access_mfa_enabled, @@ -851,6 +870,7 @@ benchmark "nist_800_53_rev_5_ac_3_15_b" { control.iam_group_user_role_no_inline_policies, control.iam_user_access_key_age_90, control.iam_account_password_policy_min_length_14, + control.secretsmanager_secret_unused_90_day, control.iam_policy_no_star_star, control.iam_root_user_no_access_keys, control.iam_user_in_group, @@ -895,6 +915,7 @@ benchmark "nist_800_53_rev_5_ac_4_21" { control.elb_application_lb_waf_enabled, control.apigateway_stage_use_waf_web_acl, control.autoscaling_launch_config_public_ip_disabled, + control.redshift_cluster_enhanced_vpc_routing_enabled, control.ec2_instance_in_vpc, control.vpc_route_table_restrict_public_access_to_igw, control.ebs_snapshot_not_publicly_restorable, @@ -969,6 +990,7 @@ benchmark "nist_800_53_rev_5_ac_4_28" { control.iam_root_user_no_access_keys, control.iam_user_in_group, control.iam_user_mfa_enabled, + control.secretsmanager_secret_unused_90_day, control.iam_user_no_inline_attached_policies, control.iam_user_unused_credentials_90, control.iam_user_console_access_mfa_enabled, @@ -1352,6 +1374,7 @@ benchmark "nist_800_53_rev_5_ac_24" { control.iam_group_user_role_no_inline_policies, control.iam_user_access_key_age_90, control.iam_account_password_policy_min_length_14, + control.secretsmanager_secret_unused_90_day, control.iam_policy_no_star_star, control.iam_root_user_no_access_keys, control.iam_user_in_group, @@ -1363,6 +1386,7 @@ benchmark "nist_800_53_rev_5_ac_24" { control.iam_root_user_mfa_enabled, control.secretsmanager_secret_automatic_rotation_enabled, control.secretsmanager_secret_rotated_as_scheduled, + benchmark.nist_800_53_rev_5_ac_24_1 ] tags = local.nist_800_53_rev_5_common_tags diff --git a/nist_800_53_rev_5/au.sp b/nist_800_53_rev_5/au.sp index 40f64f3a..d1cd0eb9 100644 --- a/nist_800_53_rev_5/au.sp +++ b/nist_800_53_rev_5/au.sp @@ -12,7 +12,8 @@ benchmark "nist_800_53_rev_5_au" { benchmark.nist_800_53_rev_5_au_10, benchmark.nist_800_53_rev_5_au_11, benchmark.nist_800_53_rev_5_au_12, - benchmark.nist_800_53_rev_5_au_14 + benchmark.nist_800_53_rev_5_au_14, + benchmark.nist_800_53_rev_5_au_16 ] tags = local.nist_800_53_rev_5_common_tags @@ -57,6 +58,7 @@ benchmark "nist_800_53_rev_5_au_3" { benchmark.nist_800_53_rev_5_au_3_a, benchmark.nist_800_53_rev_5_au_3_b, benchmark.nist_800_53_rev_5_au_3_c, + benchmark.nist_800_53_rev_5_au_3_d, benchmark.nist_800_53_rev_5_au_3_e, benchmark.nist_800_53_rev_5_au_3_f ] @@ -522,8 +524,9 @@ benchmark "nist_800_53_rev_5_au_12" { benchmark.nist_800_53_rev_5_au_12_a, benchmark.nist_800_53_rev_5_au_12_c, benchmark.nist_800_53_rev_5_au_12_1, - benchmark.nist_800_53_rev_5_au_12_2 - + benchmark.nist_800_53_rev_5_au_12_2, + benchmark.nist_800_53_rev_5_au_12_3, + benchmark.nist_800_53_rev_5_au_12_4 ] tags = local.nist_800_53_rev_5_common_tags diff --git a/nist_800_53_rev_5/cm.sp b/nist_800_53_rev_5/cm.sp index f9ab5926..7926902b 100644 --- a/nist_800_53_rev_5/cm.sp +++ b/nist_800_53_rev_5/cm.sp @@ -7,7 +7,9 @@ benchmark "nist_800_53_rev_5_cm" { benchmark.nist_800_53_rev_5_cm_5, benchmark.nist_800_53_rev_5_cm_6, benchmark.nist_800_53_rev_5_cm_7, - benchmark.nist_800_53_rev_5_cm_8 + benchmark.nist_800_53_rev_5_cm_8, + benchmark.nist_800_53_rev_5_cm_9, + benchmark.nist_800_53_rev_5_cm_12 ] tags = local.nist_800_53_rev_5_common_tags @@ -180,6 +182,7 @@ benchmark "nist_800_53_rev_5_cm_5_1_a" { control.ec2_instance_uses_imdsv2, control.ecs_task_definition_user_for_host_mode_check, control.iam_group_user_role_no_inline_policies, + control.secretsmanager_secret_unused_90_day, control.iam_all_policy_no_service_wild_card, control.iam_user_access_key_age_90, control.iam_account_password_policy_min_length_14, @@ -225,7 +228,8 @@ benchmark "nist_800_53_rev_5_cm_6" { description = "The organization: (i) establishes mandatory configuration settings for information technology products employed within the information system; (ii) configures the security settings of information technology products to the most restrictive mode consistent with operational requirements; (iii) documents the configuration settings; and (iv) enforces the configuration settings in all components of the information system" children = [ control.ec2_instance_ssm_managed, - control.ssm_managed_instance_compliance_association_compliant + control.ssm_managed_instance_compliance_association_compliant, + benchmark.nist_800_53_rev_5_cm_6_a ] tags = local.nist_800_53_rev_5_common_tags diff --git a/nist_800_53_rev_5/cp.sp b/nist_800_53_rev_5/cp.sp index dc2a01ee..aad37407 100644 --- a/nist_800_53_rev_5/cp.sp +++ b/nist_800_53_rev_5/cp.sp @@ -223,7 +223,8 @@ benchmark "nist_800_53_rev_5_cp_6" { description = "a. Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and b. Ensure that the alternate storage site provides controls equivalent to that of the primary site." children = [ benchmark.nist_800_53_rev_5_cp_6_a, - benchmark.nist_800_53_rev_5_cp_6_1 + benchmark.nist_800_53_rev_5_cp_6_1, + benchmark.nist_800_53_rev_5_cp_6_2 ] tags = local.nist_800_53_rev_5_common_tags diff --git a/nist_800_53_rev_5/ia.sp b/nist_800_53_rev_5/ia.sp index c9f8b3a4..c8e86570 100644 --- a/nist_800_53_rev_5/ia.sp +++ b/nist_800_53_rev_5/ia.sp @@ -4,6 +4,7 @@ benchmark "nist_800_53_rev_5_ia" { children = [ benchmark.nist_800_53_rev_5_ia_2, benchmark.nist_800_53_rev_5_ia_3, + benchmark.nist_800_53_rev_5_ia_4, benchmark.nist_800_53_rev_5_ia_5, benchmark.nist_800_53_rev_5_ia_8 ] diff --git a/nist_800_53_rev_5/nist_800_53_rev_5.sp b/nist_800_53_rev_5/nist_800_53_rev_5.sp index 60c9c44e..94376b45 100644 --- a/nist_800_53_rev_5/nist_800_53_rev_5.sp +++ b/nist_800_53_rev_5/nist_800_53_rev_5.sp @@ -23,7 +23,7 @@ benchmark "nist_800_53_rev_5" { benchmark.nist_800_53_rev_5_pe, benchmark.nist_800_53_rev_5_pm, benchmark.nist_800_53_rev_5_ra, - # benchmark.nist_800_53_rev_5_sa, + benchmark.nist_800_53_rev_5_sa, benchmark.nist_800_53_rev_5_sc, benchmark.nist_800_53_rev_5_si ] diff --git a/nist_800_53_rev_5/sa.sp b/nist_800_53_rev_5/sa.sp index 0fdf3d78..86097914 100644 --- a/nist_800_53_rev_5/sa.sp +++ b/nist_800_53_rev_5/sa.sp @@ -2,34 +2,96 @@ benchmark "nist_800_53_rev_5_sa" { title = "System and Services Acquisition (SA)" description = "The SA control family correlates with controls that protect allocated resources and an organization’s system development life cycle. This includes information system documentation controls, development configuration management controls, and developer security testing and evaluation controls." children = [ - benchmark.nist_800_53_rev_5_sa_3, - benchmark.nist_800_53_rev_5_sa_10 + benchmark.nist_800_53_rev_5_sa_1, + benchmark.nist_800_53_rev_5_sa_9, + benchmark.nist_800_53_rev_5_sa_10, + benchmark.nist_800_53_rev_5_sa_15 ] tags = local.nist_800_53_rev_5_common_tags } -benchmark "nist_800_53_rev_5_sa_3" { - title = "System Development Life Cycle (SA-3)" - description = "The organization manages the information system using organization-defined system development life cycle, defines and documents information security roles and responsibilities throughout the system development life cycle, identifies individuals having information security roles and responsibilities and integrates the organizational information security risk management process into system development life cycle activities." +benchmark "nist_800_53_rev_5_sa_1" { + title = "Policy And Procedures (SA-1)" + description = "The organization develops, disseminates, and periodically reviews/updates: (i) a formal, documented, system and services acquisition policy that includes information security considerations and that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls." children = [ - control.codebuild_project_plaintext_env_variables_no_sensitive_aws_values, - control.codebuild_project_source_repo_oauth_configured, - control.ec2_instance_ssm_managed + benchmark.nist_800_53_rev_5_sa_1_1 + + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sa_1_1" { + title = "SA-1(1)" + description = "Require the developer of the system, system component, or system service to enable integrity verification of software and firmware components." + children = [ + control.cloudtrail_trail_validation_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sa_9" { + title = "External System Services (SA-9)" + description = "Require the developer of the system, system component, or system service to enable integrity verification of software and firmware components." + children = [ + benchmark.nist_800_53_rev_5_sa_9_6 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sa_9_6" { + title = "SA-9(6) Organization-Controlled Cryptographic Keys" + description = "Maintain exclusive control of cryptographic keys for encrypted material stored or transmitted through an external system." + children = [ + control.kms_key_not_pending_deletion, + control.kms_cmk_rotation_enabled ] tags = local.nist_800_53_rev_5_common_tags } + benchmark "nist_800_53_rev_5_sa_10" { title = "Developer Configuration Management (SA-10)" description = "The organization requires the developer of the information system, system component, or information system service to: a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation]; b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management]; c. Implement only organization-approved changes to the system, component, or service; d. Document approved changes to the system, component, or service and the potential security impacts of such changes; and e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel]." children = [ - control.ec2_instance_ssm_managed, - control.guardduty_enabled, - control.guardduty_finding_archived, - control.securityhub_enabled + benchmark.nist_800_53_rev_5_sa_10_1 ] tags = local.nist_800_53_rev_5_common_tags } + +benchmark "nist_800_53_rev_5_sa_10_1" { + title = "SA-10(1) Software And Firmware Integrity Verification" + description = "Require the developer of the system, system component, or system service to enable integrity verification of software and firmware components." + children = [ + control.cloudtrail_trail_validation_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sa_15" { + title = "Development Process, Standards, And Tools (SA-15)" + description = "a. Require the developer of the system, system component, or system service to follow a documented development process that: 1. Explicitly addresses security and privacy requirements; 2. Identifies the standards and tools used in the development process; 3. Documents the specific tool options and tool configurations used in the development process; and 4. Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and b. Review the development process, standards, tools, tool options, and tool configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: [Assignment: organization-defined security and privacy requirements]." + children = [ + benchmark.nist_800_53_rev_5_sa_15_a_4 + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sa_15_a_4" { + title = "SA-15(a)(4)" + description = "a. Require the developer of the system, system component, or system service to follow a documented development process that: 4. Documents, manages, and ensures the integrity of changes to the process and/or tools used in development;" + children = [ + control.elb_application_lb_deletion_protection_enabled, + control.rds_db_instance_deletion_protection_enabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + diff --git a/nist_800_53_rev_5/sc.sp b/nist_800_53_rev_5/sc.sp index 5ab0df1f..f41e4352 100644 --- a/nist_800_53_rev_5/sc.sp +++ b/nist_800_53_rev_5/sc.sp @@ -3,6 +3,7 @@ benchmark "nist_800_53_rev_5_sc" { description = "The SC control family is responsible for systems and communications protection procedures. This includes boundary protection, protection of information at rest, collaborative computing devices, cryptographic protection, denial of service protection, and many others." children = [ benchmark.nist_800_53_rev_5_sc_5, + benchmark.nist_800_53_rev_5_sc_6, benchmark.nist_800_53_rev_5_sc_7, benchmark.nist_800_53_rev_5_sc_8, benchmark.nist_800_53_rev_5_sc_12, @@ -146,6 +147,7 @@ benchmark "nist_800_53_rev_5_sc_7" { benchmark.nist_800_53_rev_5_sc_7_c, benchmark.nist_800_53_rev_5_sc_7_2, benchmark.nist_800_53_rev_5_sc_7_3, + benchmark.nist_800_53_rev_5_sc_7_4, benchmark.nist_800_53_rev_5_sc_7_5, benchmark.nist_800_53_rev_5_sc_7_7, benchmark.nist_800_53_rev_5_sc_7_9, @@ -202,6 +204,7 @@ benchmark "nist_800_53_rev_5_sc_7_b" { control.dms_replication_instance_not_publicly_accessible, control.ebs_snapshot_not_publicly_restorable, control.ec2_instance_not_publicly_accessible, + control.redshift_cluster_enhanced_vpc_routing_enabled, control.es_domain_in_vpc, control.emr_cluster_master_nodes_no_public_ip, control.lambda_function_restrict_public_access, @@ -1015,6 +1018,7 @@ benchmark "nist_800_53_rev_5_sc_23_3" { control.iam_group_user_role_no_inline_policies, control.iam_user_access_key_age_90, control.iam_account_password_policy_min_length_14, + control.secretsmanager_secret_unused_90_day, control.iam_policy_no_star_star, control.iam_root_user_no_access_keys, control.iam_user_in_group, diff --git a/nist_800_53_rev_5/si.sp b/nist_800_53_rev_5/si.sp index 65ca7eed..7e11aa34 100644 --- a/nist_800_53_rev_5/si.sp +++ b/nist_800_53_rev_5/si.sp @@ -6,6 +6,7 @@ benchmark "nist_800_53_rev_5_si" { benchmark.nist_800_53_rev_5_si_2, benchmark.nist_800_53_rev_5_si_3, benchmark.nist_800_53_rev_5_si_4, + benchmark.nist_800_53_rev_5_si_5, benchmark.nist_800_53_rev_5_si_7, benchmark.nist_800_53_rev_5_si_10, benchmark.nist_800_53_rev_5_si_12, @@ -86,6 +87,7 @@ benchmark "nist_800_53_rev_5_si_2" { children = [ benchmark.nist_800_53_rev_5_si_2_a, benchmark.nist_800_53_rev_5_si_2_c, + benchmark.nist_800_53_rev_5_si_2_d, benchmark.nist_800_53_rev_5_si_2_2, benchmark.nist_800_53_rev_5_si_2_5 ] @@ -493,7 +495,6 @@ benchmark "nist_800_53_rev_5_si_4_25" { tags = local.nist_800_53_rev_5_common_tags } - benchmark "nist_800_53_rev_5_si_5" { title = "Secuity Alerts, Advisories, And Directives (SI-5)" description = "a. Receive system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis; b. Generate internal security alerts, advisories, and directives as deemed necessary; c. Disseminate security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and d. Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance." diff --git a/query/secretsmanager/secretsmanager_secret_unused_90_day.sql b/query/secretsmanager/secretsmanager_secret_unused_90_day.sql new file mode 100644 index 00000000..c7668e3f --- /dev/null +++ b/query/secretsmanager/secretsmanager_secret_unused_90_day.sql @@ -0,0 +1,18 @@ +select + -- Required Columns + arn as resource, + case + when last_accessed_date is null then 'alarm' + when date(current_date) - date(last_accessed_date) <= 90 then 'ok' + else 'alarm' + end as status, + case + when last_accessed_date is null then title || ' never accessed.' + else + title || ' last used ' || extract(day from current_timestamp - last_accessed_date) || ' day(s) ago.' + end as reason, + -- Additional Dimensions + region, + account_id +from + aws_secretsmanager_secret; From e4375ae0ff4b3d5c9ab2c016479f3f4a94ea3db9 Mon Sep 17 00:00:00 2001 From: Khushboo Date: Thu, 26 May 2022 18:16:23 +0530 Subject: [PATCH 08/20] added new query --- conformance_pack/ec2.sp | 10 ++++++++++ conformance_pack/iam.sp | 10 ++++++++++ nist_800_53_rev_5/ac.sp | 1 + nist_800_53_rev_5/cm.sp | 9 +++++++++ query/ec2/ec2_instance_iam_profile_attached.sql | 16 ++++++++++++++++ query/iam/account_part_of_organizations.sql | 16 ++++++++++++++++ 6 files changed, 62 insertions(+) create mode 100644 query/ec2/ec2_instance_iam_profile_attached.sql create mode 100644 query/iam/account_part_of_organizations.sql diff --git a/conformance_pack/ec2.sp b/conformance_pack/ec2.sp index f3bca1da..20057d5e 100644 --- a/conformance_pack/ec2.sp +++ b/conformance_pack/ec2.sp @@ -112,3 +112,13 @@ control "ec2_instance_protected_by_backup_plan" { soc_2 = "true" }) } + +control "ec2_instance_iam_profile_attached" { + title = "EC2 instances should have IAM profile attached" + description = "Ensure if an Amazon Elastic Compute Cloud (Amazon EC2) instance has an Identity and Access Management (IAM) profile attached to it. This rule is non compliant if no IAM profile is attached to the Amazon EC2 instance." + sql = query.ec2_instance_iam_profile_attached.sql + + tags = merge(local.conformance_pack_ec2_common_tags, { + nist_800_53_rev_5 = "true" + }) +} diff --git a/conformance_pack/iam.sp b/conformance_pack/iam.sp index d8886157..c692898b 100644 --- a/conformance_pack/iam.sp +++ b/conformance_pack/iam.sp @@ -334,3 +334,13 @@ control "iam_policy_custom_no_blocked_kms_actions" { fedramp = "true" }) } + +control "account_part_of_organizations" { + title = "AWS account should be part of AWS Organizations" + description = "Ensure if an AWS account is part of AWS Organizations. The rule is non compliant if an AWS account is not part of AWS Organizations or AWS Organizations master account ID does not match rule parameter MasterAccountId." + sql = query.account_part_of_organizations.sql + + tags = merge(local.conformance_pack_iam_common_tags, { + nist_800_53_rev_5 = "true" + }) +} diff --git a/nist_800_53_rev_5/ac.sp b/nist_800_53_rev_5/ac.sp index 39c47970..a8063c9f 100644 --- a/nist_800_53_rev_5/ac.sp +++ b/nist_800_53_rev_5/ac.sp @@ -235,6 +235,7 @@ benchmark "nist_800_53_rev_5_ac_3" { children = [ control.autoscaling_launch_config_public_ip_disabled, control.ec2_instance_uses_imdsv2, + control.ec2_instance_iam_profile_attached, control.ecs_task_definition_user_for_host_mode_check, control.iam_group_user_role_no_inline_policies, control.iam_all_policy_no_service_wild_card, diff --git a/nist_800_53_rev_5/cm.sp b/nist_800_53_rev_5/cm.sp index 7926902b..23470d42 100644 --- a/nist_800_53_rev_5/cm.sp +++ b/nist_800_53_rev_5/cm.sp @@ -51,6 +51,7 @@ benchmark "nist_800_53_rev_5_cm_2_b" { control.ssm_managed_instance_compliance_association_compliant, control.ec2_stopped_instance_30_days, control.ebs_volume_unsued, + control.account_part_of_organizations, control.redshift_cluster_maintenance_settings_check, benchmark.nist_800_53_rev_5_cm_2_b_1, benchmark.nist_800_53_rev_5_cm_2_b_2, @@ -66,6 +67,7 @@ benchmark "nist_800_53_rev_5_cm_2_b_1" { description = "b. Review and update the baseline configuration of the system: 1. [Assignment: organization-defined frequency];" children = [ control.ec2_instance_ssm_managed, + control.account_part_of_organizations, control.ssm_managed_instance_compliance_association_compliant, control.ec2_stopped_instance_30_days, control.ebs_volume_unsued, @@ -80,6 +82,7 @@ benchmark "nist_800_53_rev_5_cm_2_b_2" { description = "b. Review and update the baseline configuration of the system: 2. When required due to [Assignment: organization-defined circumstances];" children = [ control.ec2_instance_ssm_managed, + control.account_part_of_organizations, control.ssm_managed_instance_compliance_association_compliant, control.ec2_stopped_instance_30_days, control.ebs_volume_unsued, @@ -94,6 +97,7 @@ benchmark "nist_800_53_rev_5_cm_2_b_3" { description = "b. Review and update the baseline configuration of the system: 3 When system components are installed or upgraded." children = [ control.ec2_instance_ssm_managed, + control.account_part_of_organizations, control.ssm_managed_instance_compliance_association_compliant, control.ec2_stopped_instance_30_days, control.ebs_volume_unsued, @@ -147,6 +151,7 @@ benchmark "nist_800_53_rev_5_cm_3_3" { control.ec2_instance_ssm_managed, control.ssm_managed_instance_compliance_association_compliant, control.ec2_stopped_instance_30_days, + control.account_part_of_organizations, control.ebs_volume_unsued, control.redshift_cluster_maintenance_settings_check, ] @@ -180,6 +185,7 @@ benchmark "nist_800_53_rev_5_cm_5_1_a" { description = "(a) Enforce access restrictions using [Assignment: organization-defined automated mechanisms];" children = [ control.ec2_instance_uses_imdsv2, + control.ec2_instance_iam_profile_attached, control.ecs_task_definition_user_for_host_mode_check, control.iam_group_user_role_no_inline_policies, control.secretsmanager_secret_unused_90_day, @@ -241,10 +247,12 @@ benchmark "nist_800_53_rev_5_cm_6_a" { children = [ control.autoscaling_launch_config_public_ip_disabled, control.kms_cmk_rotation_enabled, + control.ec2_instance_iam_profile_attached, control.ec2_ebs_default_encryption_enabled, control.iam_group_user_role_no_inline_policies, control.cloudtrail_multi_region_trail_enabled, control.iam_user_access_key_age_90, + control.account_part_of_organizations, control.autoscaling_group_with_lb_use_health_check, control.cloudtrail_trail_integrated_with_logs, control.cloudtrail_trail_logs_encrypted_with_kms_cmk, @@ -467,6 +475,7 @@ benchmark "nist_800_53_rev_5_cm_9_b" { description = "Develop, document, and implement a configuration management plan for the system that: b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;" children = [ control.kms_cmk_rotation_enabled, + control.account_part_of_organizations, control.ec2_ebs_default_encryption_enabled, control.iam_group_user_role_no_inline_policies, control.vpc_security_group_restrict_ingress_ssh_all, diff --git a/query/ec2/ec2_instance_iam_profile_attached.sql b/query/ec2/ec2_instance_iam_profile_attached.sql new file mode 100644 index 00000000..7e32e2c0 --- /dev/null +++ b/query/ec2/ec2_instance_iam_profile_attached.sql @@ -0,0 +1,16 @@ +select + -- Required Columns + arn as resource, + case + when iam_instance_profile_id is not null then 'ok' + else 'alarm' + end as status, + case + when iam_instance_profile_id is not null then title || ' IAM profile attached.' + else title || ' IAM profile not attached.' + end as reason, + -- Additional Dimensions + region, + account_id +from + aws_ec2_instance; \ No newline at end of file diff --git a/query/iam/account_part_of_organizations.sql b/query/iam/account_part_of_organizations.sql new file mode 100644 index 00000000..8ce857e5 --- /dev/null +++ b/query/iam/account_part_of_organizations.sql @@ -0,0 +1,16 @@ +select + -- Required Columns + arn as resource, + case + when organization_id is not null then 'ok' + else 'alarm' + end as status, + case + when organization_id is not null then title || ' is part of organization(s).' + else title || ' is not part of organization.' + end as reason, + -- Additional Dimensions + region, + account_id +from + aws_account; \ No newline at end of file From 67f4bdda75343eb2ea9e15d47607feb5b90d2aef Mon Sep 17 00:00:00 2001 From: Khushboo Date: Thu, 26 May 2022 20:36:04 +0530 Subject: [PATCH 09/20] added new query --- conformance_pack/secretsmanager.sp | 12 ++++++- nist_800_53_rev_5/au.sp | 1 + nist_800_53_rev_5/cp.sp | 1 + nist_800_53_rev_5/sc.sp | 4 +++ nist_800_53_rev_5/si.sp | 1 + ...smanager_secret_encrypted_with_kms_cmk.sql | 31 +++++++++++++++++++ 6 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 query/secretsmanager/secretsmanager_secret_encrypted_with_kms_cmk.sql diff --git a/conformance_pack/secretsmanager.sp b/conformance_pack/secretsmanager.sp index d97b7644..bbc36085 100644 --- a/conformance_pack/secretsmanager.sp +++ b/conformance_pack/secretsmanager.sp @@ -36,4 +36,14 @@ control "secretsmanager_secret_unused_90_day" { tags = merge(local.conformance_pack_secretsmanager_common_tags, { nist_800_53_rev_5 = "true" }) -} \ No newline at end of file +} + +control "secretsmanager_secret_encrypted_with_kms_cmk" { + title = "Secrets Manager secrets should be encrypted using CMK" + description = "Ensure if all secrets in AWS Secrets Manager are encrypted using the AWS managed key (aws/secretsmanager) or a customer managed key that was created in AWS Key Management Service (AWS KMS). The rule is compliant if a secret is encrypted using a customer managed key. This rule is NON_COMPLIANT if a secret is encrypted using aws/secretsmanager." + sql = query.secretsmanager_secret_encrypted_with_kms_cmk.sql + + tags = merge(local.conformance_pack_secretsmanager_common_tags, { + nist_800_53_rev_5 = "true" + }) +} diff --git a/nist_800_53_rev_5/au.sp b/nist_800_53_rev_5/au.sp index d1cd0eb9..bf4e4f7c 100644 --- a/nist_800_53_rev_5/au.sp +++ b/nist_800_53_rev_5/au.sp @@ -436,6 +436,7 @@ benchmark "nist_800_53_rev_5_au_9_3" { control.ec2_ebs_default_encryption_enabled, control.es_domain_node_to_node_encryption_enabled, control.elb_classic_lb_use_tls_https_listeners, + control.secretsmanager_secret_encrypted_with_kms_cmk, control.rds_db_snapshot_encrypted_at_rest, control.s3_bucket_default_encryption_enabled_kms, control.sagemaker_notebook_instance_encryption_at_rest_enabled, diff --git a/nist_800_53_rev_5/cp.sp b/nist_800_53_rev_5/cp.sp index aad37407..6c7cb02d 100644 --- a/nist_800_53_rev_5/cp.sp +++ b/nist_800_53_rev_5/cp.sp @@ -378,6 +378,7 @@ benchmark "nist_800_53_rev_5_cp_9_d" { control.sagemaker_notebook_instance_encryption_at_rest_enabled, control.sns_topic_encrypted_at_rest, control.apigateway_stage_cache_encryption_at_rest_enabled, + control.secretsmanager_secret_encrypted_with_kms_cmk, control.cloudtrail_trail_logs_encrypted_with_kms_cmk, control.log_group_encryption_at_rest_enabled, control.efs_file_system_encrypt_data_at_rest, diff --git a/nist_800_53_rev_5/sc.sp b/nist_800_53_rev_5/sc.sp index f41e4352..37cef716 100644 --- a/nist_800_53_rev_5/sc.sp +++ b/nist_800_53_rev_5/sc.sp @@ -801,6 +801,7 @@ benchmark "nist_800_53_rev_5_sc_8_3" { control.ec2_ebs_default_encryption_enabled, control.es_domain_node_to_node_encryption_enabled, control.elb_classic_lb_use_tls_https_listeners, + control.secretsmanager_secret_encrypted_with_kms_cmk, control.rds_db_snapshot_encrypted_at_rest, control.s3_bucket_default_encryption_enabled_kms, control.sagemaker_notebook_instance_encryption_at_rest_enabled, @@ -835,6 +836,7 @@ benchmark "nist_800_53_rev_5_sc_8_4" { control.es_domain_node_to_node_encryption_enabled, control.elb_classic_lb_use_tls_https_listeners, control.rds_db_snapshot_encrypted_at_rest, + control.secretsmanager_secret_encrypted_with_kms_cmk, control.s3_bucket_default_encryption_enabled_kms, control.sagemaker_notebook_instance_encryption_at_rest_enabled, control.sns_topic_encrypted_at_rest, @@ -927,6 +929,7 @@ benchmark "nist_800_53_rev_5_sc_13_a" { control.dynamodb_table_encrypted_with_kms_cmk, control.ec2_ebs_default_encryption_enabled, control.es_domain_node_to_node_encryption_enabled, + control.secretsmanager_secret_encrypted_with_kms_cmk, control.elb_classic_lb_use_tls_https_listeners, control.rds_db_snapshot_encrypted_at_rest, control.s3_bucket_default_encryption_enabled_kms, @@ -1094,6 +1097,7 @@ benchmark "nist_800_53_rev_5_sc_28_1" { control.dynamodb_table_encrypted_with_kms_cmk, control.ec2_ebs_default_encryption_enabled, control.rds_db_snapshot_encrypted_at_rest, + control.secretsmanager_secret_encrypted_with_kms_cmk, control.s3_bucket_default_encryption_enabled_kms, control.sagemaker_notebook_instance_encryption_at_rest_enabled, control.sns_topic_encrypted_at_rest, diff --git a/nist_800_53_rev_5/si.sp b/nist_800_53_rev_5/si.sp index 7e11aa34..629e70ce 100644 --- a/nist_800_53_rev_5/si.sp +++ b/nist_800_53_rev_5/si.sp @@ -700,6 +700,7 @@ benchmark "nist_800_53_rev_5_si_19_4" { control.dynamodb_table_encrypted_with_kms_cmk, control.ec2_ebs_default_encryption_enabled, control.rds_db_snapshot_encrypted_at_rest, + control.secretsmanager_secret_encrypted_with_kms_cmk, control.s3_bucket_default_encryption_enabled_kms, control.sagemaker_notebook_instance_encryption_at_rest_enabled, control.apigateway_stage_cache_encryption_at_rest_enabled, diff --git a/query/secretsmanager/secretsmanager_secret_encrypted_with_kms_cmk.sql b/query/secretsmanager/secretsmanager_secret_encrypted_with_kms_cmk.sql new file mode 100644 index 00000000..28ae177b --- /dev/null +++ b/query/secretsmanager/secretsmanager_secret_encrypted_with_kms_cmk.sql @@ -0,0 +1,31 @@ +with encryption_keys as ( + select + distinct s.arn, + k.aliases as alias + from + aws_secretsmanager_secret as s + left join aws_kms_key as k on k.arn = s.kms_key_id + where + k.aliases is not null +) +select + -- Required Columns + s.arn as resource, + case + when kms_key_id is null + or kms_key_id = 'alias/aws/secretsmanager' + or k.alias @> '[{"AliasName":"alias/aws/secretsmanager"}]'then 'ok' + else 'alarm' + end as status, + case + when kms_key_id is null + or kms_key_id = 'alias/aws/secretsmanager' + or k.alias @> '[{"AliasName":"alias/aws/secretsmanager"}]' then title || ' encrypted with CMK.' + else title || ' not encrypted with CMK.' + end as reason, + -- Additional Dimensions + region, + account_id +from + aws_secretsmanager_secret as s + left join encryption_keys as k on s.arn = k.arn; \ No newline at end of file From f538e29b53e7962dbe72f601eb1d4fa2656204fc Mon Sep 17 00:00:00 2001 From: Khushboo Date: Fri, 27 May 2022 14:32:10 +0530 Subject: [PATCH 10/20] update --- nist_800_53_rev_5/ac.sp | 12 ++++++------ nist_800_53_rev_5/au.sp | 2 +- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/nist_800_53_rev_5/ac.sp b/nist_800_53_rev_5/ac.sp index a8063c9f..354ed32f 100644 --- a/nist_800_53_rev_5/ac.sp +++ b/nist_800_53_rev_5/ac.sp @@ -21,10 +21,10 @@ benchmark "nist_800_53_rev_5_ac_2" { description = benchmark.nist_800_53_rev_4_ac_2.description children = [ benchmark.nist_800_53_rev_5_ac_2_1, - benchmark.nist_800_53_rev_5_ac_2_12, benchmark.nist_800_53_rev_5_ac_2_3, benchmark.nist_800_53_rev_5_ac_2_4, benchmark.nist_800_53_rev_5_ac_2_6, + benchmark.nist_800_53_rev_5_ac_2_12, benchmark.nist_800_53_rev_5_ac_2_d_1, benchmark.nist_800_53_rev_5_ac_2_i_2, benchmark.nist_800_53_rev_5_ac_2_g, @@ -35,7 +35,7 @@ benchmark "nist_800_53_rev_5_ac_2" { } benchmark "nist_800_53_rev_5_ac_2_d_1" { - title = "AC-2d.1" + title = "AC-2(d)(1)" description = "d. Specify: 1. Authorized users of the system;personnel termination and transfer processes." children = [ control.iam_account_password_policy_min_length_14 @@ -55,7 +55,7 @@ benchmark "nist_800_53_rev_5_ac_2_g" { } benchmark "nist_800_53_rev_5_ac_2_i_2" { - title = "AC-2i.2" + title = "AC-2(i)(2)" description = "i. Authorize access to the system based on: 2. Intended system usage;" children = [ control.iam_group_user_role_no_inline_policies, @@ -741,7 +741,7 @@ benchmark "nist_800_53_rev_5_ac_3_8" { } benchmark "nist_800_53_rev_5_ac_3_10" { - title = "AC-3(8) Revocation Of Access Authorizations" + title = "AC-3(10) Audited Override Of Access Control Mechanisms" description = "Employ an audited override of automated access mechanisms under [Assignment: organization-defined conditions] by [Assignment: organization-defined roles]." children = [ control.cloudtrail_multi_region_trail_enabled, @@ -1168,7 +1168,7 @@ benchmark "nist_800_53_rev_5_ac_16" { } benchmark "nist_800_53_rev_5_ac_16_b" { - title = "AC-16b" + title = "AC-16(b)" description = "b. Ensure that the attribute associations are made and retained with the information;" children = [ control.cloudwatch_log_group_retention_period_365 @@ -1253,7 +1253,7 @@ benchmark "nist_800_53_rev_5_ac_17_1" { } benchmark "nist_800_53_rev_5_ac_17_2" { - title = "AC-17(2)" + title = "AC-17(2) Protection Of Confidentiality And Integrity Using Encryption" description = "Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions." children = [ control.elb_classic_lb_use_tls_https_listeners, diff --git a/nist_800_53_rev_5/au.sp b/nist_800_53_rev_5/au.sp index bf4e4f7c..723dab0f 100644 --- a/nist_800_53_rev_5/au.sp +++ b/nist_800_53_rev_5/au.sp @@ -31,7 +31,7 @@ benchmark "nist_800_53_rev_5_au_2" { } benchmark "nist_800_53_rev_5_au_2_b" { - title = "AU-2b" + title = "AU-2(b)" description = "b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;" children = [ control.cloudtrail_multi_region_trail_enabled, From 94ce2836a4141d588072e927b70cd5a6c41d52d4 Mon Sep 17 00:00:00 2001 From: Khushboo Date: Fri, 27 May 2022 17:53:23 +0530 Subject: [PATCH 11/20] updated service tags --- nist_800_53_rev_5/ac.sp | 64 ++++++++++---- .../docs/nist_800_53_rev_5_overview.md | 2 +- nist_800_53_rev_5/ia.sp | 85 ++++++++++++++----- nist_800_53_rev_5/ir.sp | 12 ++- nist_800_53_rev_5/ma.sp | 4 +- nist_800_53_rev_5/pe.sp | 16 +++- nist_800_53_rev_5/pm.sp | 12 ++- nist_800_53_rev_5/ra.sp | 49 ++++++++--- nist_800_53_rev_5/sa.sp | 25 ++++-- nist_800_53_rev_5/sc.sp | 52 +++++++++--- nist_800_53_rev_5/si.sp | 55 ++++++++---- 11 files changed, 276 insertions(+), 100 deletions(-) diff --git a/nist_800_53_rev_5/ac.sp b/nist_800_53_rev_5/ac.sp index 354ed32f..9cddc710 100644 --- a/nist_800_53_rev_5/ac.sp +++ b/nist_800_53_rev_5/ac.sp @@ -41,7 +41,9 @@ benchmark "nist_800_53_rev_5_ac_2_d_1" { control.iam_account_password_policy_min_length_14 ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) } benchmark "nist_800_53_rev_5_ac_2_g" { @@ -51,7 +53,9 @@ benchmark "nist_800_53_rev_5_ac_2_g" { control.iam_user_unused_credentials_90 ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) } benchmark "nist_800_53_rev_5_ac_2_i_2" { @@ -64,7 +68,9 @@ benchmark "nist_800_53_rev_5_ac_2_i_2" { control.iam_user_no_inline_attached_policies ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) } benchmark "nist_800_53_rev_5_ac_2_j" { @@ -74,7 +80,9 @@ benchmark "nist_800_53_rev_5_ac_2_j" { control.iam_user_unused_credentials_90, ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) } benchmark "nist_800_53_rev_5_ac_2_1" { @@ -124,7 +132,9 @@ benchmark "nist_800_53_rev_5_ac_2_3_a" { control.iam_account_password_policy_min_length_14 ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) } benchmark "nist_800_53_rev_5_ac_2_3_b" { @@ -135,7 +145,9 @@ benchmark "nist_800_53_rev_5_ac_2_3_b" { control.iam_account_password_policy_min_length_14 ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) } benchmark "nist_800_53_rev_5_ac_2_3_c" { @@ -157,7 +169,9 @@ benchmark "nist_800_53_rev_5_ac_2_3_d" { control.iam_account_password_policy_min_length_14 ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) } benchmark "nist_800_53_rev_5_ac_2_4" { @@ -226,7 +240,9 @@ benchmark "nist_800_53_rev_5_ac_2_12_a" { control.guardduty_enabled, ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) } benchmark "nist_800_53_rev_5_ac_3" { @@ -300,7 +316,9 @@ benchmark "nist_800_53_rev_5_ac_3_2" { control.iam_root_user_mfa_enabled ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) } benchmark "nist_800_53_rev_5_ac_3_3" { @@ -799,7 +817,9 @@ benchmark "nist_800_53_rev_5_ac_3_12_b" { control.guardduty_enabled ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) } benchmark "nist_800_53_rev_5_ac_3_13" { @@ -1087,7 +1107,9 @@ benchmark "nist_800_53_rev_5_ac_6_3" { control.iam_user_no_inline_attached_policies ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) } benchmark "nist_800_53_rev_5_ac_6_9" { @@ -1115,7 +1137,9 @@ benchmark "nist_800_53_rev_5_ac_6_10" { control.iam_root_user_no_access_keys ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) } benchmark "nist_800_53_rev_5_ac_7" { @@ -1125,7 +1149,9 @@ benchmark "nist_800_53_rev_5_ac_7" { benchmark.nist_800_53_rev_5_ac_7_4 ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) } benchmark "nist_800_53_rev_5_ac_7_4" { @@ -1140,7 +1166,9 @@ benchmark "nist_800_53_rev_5_ac_7_4" { benchmark.nist_800_53_rev_5_ac_7_4_a ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) } benchmark "nist_800_53_rev_5_ac_7_4_a" { @@ -1154,7 +1182,9 @@ benchmark "nist_800_53_rev_5_ac_7_4_a" { control.iam_root_user_mfa_enabled, ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) } benchmark "nist_800_53_rev_5_ac_16" { @@ -1174,7 +1204,9 @@ benchmark "nist_800_53_rev_5_ac_16_b" { control.cloudwatch_log_group_retention_period_365 ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/CloudWatch" + }) } benchmark "nist_800_53_rev_5_ac_17" { diff --git a/nist_800_53_rev_5/docs/nist_800_53_rev_5_overview.md b/nist_800_53_rev_5/docs/nist_800_53_rev_5_overview.md index 761d7f2c..26415035 100644 --- a/nist_800_53_rev_5/docs/nist_800_53_rev_5_overview.md +++ b/nist_800_53_rev_5/docs/nist_800_53_rev_5_overview.md @@ -1,4 +1,4 @@ -To obtain the latest version of the official guide, please visit https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final. +To obtain the latest version of the official guide, please visit https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final. ## Overview diff --git a/nist_800_53_rev_5/ia.sp b/nist_800_53_rev_5/ia.sp index c8e86570..42dbee64 100644 --- a/nist_800_53_rev_5/ia.sp +++ b/nist_800_53_rev_5/ia.sp @@ -23,7 +23,9 @@ benchmark "nist_800_53_rev_5_ia_2" { benchmark.nist_800_53_rev_5_ia_2_8 ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) } benchmark "nist_800_53_rev_5_ia_2_1" { @@ -107,7 +109,6 @@ benchmark "nist_800_53_rev_5_ia_3" { description = "Uniquely identify and authenticate [Assignment: organization-defined devices and/or types of devices] before establishing a [Selection (one or more): local; remote; network] connection." children = [ benchmark.nist_800_53_rev_5_ia_3_3 - ] tags = local.nist_800_53_rev_5_common_tags @@ -154,7 +155,9 @@ benchmark "nist_800_53_rev_5_ia_4" { benchmark.nist_800_53_rev_5_ia_4_8 ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) } benchmark "nist_800_53_rev_5_ia_4_b" { @@ -164,7 +167,9 @@ benchmark "nist_800_53_rev_5_ia_4_b" { control.iam_root_user_no_access_keys ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) } benchmark "nist_800_53_rev_5_ia_4_d" { @@ -174,7 +179,9 @@ benchmark "nist_800_53_rev_5_ia_4_d" { control.iam_account_password_policy_min_length_14 ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) } benchmark "nist_800_53_rev_5_ia_4_4" { @@ -184,7 +191,9 @@ benchmark "nist_800_53_rev_5_ia_4_4" { control.iam_root_user_no_access_keys ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) } benchmark "nist_800_53_rev_5_ia_4_8" { @@ -194,7 +203,9 @@ benchmark "nist_800_53_rev_5_ia_4_8" { control.iam_root_user_no_access_keys ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) } benchmark "nist_800_53_rev_5_ia_5" { @@ -222,7 +233,9 @@ benchmark "nist_800_53_rev_5_ia_5_b" { control.iam_account_password_policy_min_length_14, ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) } benchmark "nist_800_53_rev_5_ia_5_c" { @@ -232,7 +245,9 @@ benchmark "nist_800_53_rev_5_ia_5_c" { control.iam_account_password_policy_min_length_14, ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) } benchmark "nist_800_53_rev_5_ia_5_d" { @@ -242,7 +257,9 @@ benchmark "nist_800_53_rev_5_ia_5_d" { control.iam_account_password_policy_min_length_14, ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) } benchmark "nist_800_53_rev_5_ia_5_f" { @@ -252,7 +269,9 @@ benchmark "nist_800_53_rev_5_ia_5_f" { control.iam_account_password_policy_min_length_14, ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) } benchmark "nist_800_53_rev_5_ia_5_h" { @@ -262,7 +281,9 @@ benchmark "nist_800_53_rev_5_ia_5_h" { control.iam_account_password_policy_min_length_14, ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) } benchmark "nist_800_53_rev_5_ia_5_1" { @@ -299,7 +320,9 @@ benchmark "nist_800_53_rev_5_ia_5_1_f" { control.iam_account_password_policy_min_length_14 ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) } benchmark "nist_800_53_rev_5_ia_5_1_g" { @@ -309,7 +332,9 @@ benchmark "nist_800_53_rev_5_ia_5_1_g" { control.iam_account_password_policy_min_length_14 ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) } benchmark "nist_800_53_rev_5_ia_5_1_h" { @@ -319,7 +344,9 @@ benchmark "nist_800_53_rev_5_ia_5_1_h" { control.iam_account_password_policy_min_length_14 ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) } benchmark "nist_800_53_rev_5_ia_5_8" { @@ -329,7 +356,9 @@ benchmark "nist_800_53_rev_5_ia_5_8" { control.iam_root_user_no_access_keys ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) } benchmark "nist_800_53_rev_5_ia_5_18" { @@ -340,7 +369,9 @@ benchmark "nist_800_53_rev_5_ia_5_18" { benchmark.nist_800_53_rev_5_ia_5_18_b ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) } benchmark "nist_800_53_rev_5_ia_5_18_a" { @@ -350,7 +381,9 @@ benchmark "nist_800_53_rev_5_ia_5_18_a" { control.iam_account_password_policy_min_length_14 ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) } benchmark "nist_800_53_rev_5_ia_5_18_b" { @@ -360,7 +393,9 @@ benchmark "nist_800_53_rev_5_ia_5_18_b" { control.iam_account_password_policy_min_length_14 ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) } benchmark "nist_800_53_rev_5_ia_8" { @@ -370,7 +405,9 @@ benchmark "nist_800_53_rev_5_ia_8" { benchmark.nist_800_53_rev_5_ia_8_2 ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) } benchmark "nist_800_53_rev_5_ia_8_2" { @@ -380,7 +417,9 @@ benchmark "nist_800_53_rev_5_ia_8_2" { benchmark.nist_800_53_rev_5_ia_8_2_b ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) } benchmark "nist_800_53_rev_5_ia_8_2_b" { @@ -390,6 +429,8 @@ benchmark "nist_800_53_rev_5_ia_8_2_b" { control.iam_account_password_policy_min_length_14 ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) } diff --git a/nist_800_53_rev_5/ir.sp b/nist_800_53_rev_5/ir.sp index 5f46ea8e..2fd774b9 100644 --- a/nist_800_53_rev_5/ir.sp +++ b/nist_800_53_rev_5/ir.sp @@ -5,7 +5,9 @@ benchmark "nist_800_53_rev_5_ir" { benchmark.nist_800_53_rev_5_ir_4 ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) } benchmark "nist_800_53_rev_5_ir_4" { @@ -15,7 +17,9 @@ benchmark "nist_800_53_rev_5_ir_4" { benchmark.nist_800_53_rev_5_ir_4_a ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) } benchmark "nist_800_53_rev_5_ir_4_a" { @@ -25,5 +29,7 @@ benchmark "nist_800_53_rev_5_ir_4_a" { control.guardduty_finding_archived ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) } diff --git a/nist_800_53_rev_5/ma.sp b/nist_800_53_rev_5/ma.sp index 3294d327..a2fa3d82 100644 --- a/nist_800_53_rev_5/ma.sp +++ b/nist_800_53_rev_5/ma.sp @@ -26,7 +26,9 @@ benchmark "nist_800_53_rev_5_ma_4_c" { control.iam_account_password_policy_min_length_14 ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) } benchmark "nist_800_53_rev_5_ma_4_1" { diff --git a/nist_800_53_rev_5/pe.sp b/nist_800_53_rev_5/pe.sp index 2a9eb151..25196f75 100644 --- a/nist_800_53_rev_5/pe.sp +++ b/nist_800_53_rev_5/pe.sp @@ -5,7 +5,9 @@ benchmark "nist_800_53_rev_5_pe" { benchmark.nist_800_53_rev_5_pe_6 ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) } benchmark "nist_800_53_rev_5_pe_6" { @@ -16,7 +18,9 @@ benchmark "nist_800_53_rev_5_pe_6" { benchmark.nist_800_53_rev_5_pe_6_4 ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) } benchmark "nist_800_53_rev_5_pe_6_2" { @@ -26,7 +30,9 @@ benchmark "nist_800_53_rev_5_pe_6_2" { control.guardduty_enabled, ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) } benchmark "nist_800_53_rev_5_pe_6_4" { @@ -36,5 +42,7 @@ benchmark "nist_800_53_rev_5_pe_6_4" { control.guardduty_enabled, ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) } \ No newline at end of file diff --git a/nist_800_53_rev_5/pm.sp b/nist_800_53_rev_5/pm.sp index 77a25e88..b20ae648 100644 --- a/nist_800_53_rev_5/pm.sp +++ b/nist_800_53_rev_5/pm.sp @@ -112,7 +112,9 @@ benchmark "nist_800_53_rev_5_pm_16" { control.guardduty_enabled, ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) } benchmark "nist_800_53_rev_5_pm_17" { @@ -150,7 +152,9 @@ benchmark "nist_800_53_rev_5_pm_21" { benchmark.nist_800_53_rev_5_pm_21_b ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/CloudWatch" + }) } benchmark "nist_800_53_rev_5_pm_21_b" { @@ -160,7 +164,9 @@ benchmark "nist_800_53_rev_5_pm_21_b" { control.cloudwatch_log_group_retention_period_365 ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/CloudWatch" + }) } benchmark "nist_800_53_rev_5_pm_31" { diff --git a/nist_800_53_rev_5/ra.sp b/nist_800_53_rev_5/ra.sp index 67b97380..0ee63ecf 100644 --- a/nist_800_53_rev_5/ra.sp +++ b/nist_800_53_rev_5/ra.sp @@ -18,7 +18,9 @@ benchmark "nist_800_53_rev_5_ra_1" { benchmark.nist_800_53_rev_5_ra_1_a, ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) } benchmark "nist_800_53_rev_5_ra_1_a" { @@ -30,7 +32,9 @@ benchmark "nist_800_53_rev_5_ra_1_a" { benchmark.nist_800_53_rev_5_ra_1_a_2 ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) } benchmark "nist_800_53_rev_5_ra_1_a_1" { @@ -40,7 +44,9 @@ benchmark "nist_800_53_rev_5_ra_1_a_1" { control.guardduty_enabled, ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) } benchmark "nist_800_53_rev_5_ra_1_a_2" { @@ -50,7 +56,9 @@ benchmark "nist_800_53_rev_5_ra_1_a_2" { control.guardduty_enabled, ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) } benchmark "nist_800_53_rev_5_ra_3" { @@ -82,7 +90,9 @@ benchmark "nist_800_53_rev_5_ra_3_4" { control.guardduty_enabled, ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) } benchmark "nist_800_53_rev_5_ra_5" { @@ -94,7 +104,9 @@ benchmark "nist_800_53_rev_5_ra_5" { ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) } benchmark "nist_800_53_rev_5_ra_5_a" { @@ -103,8 +115,9 @@ benchmark "nist_800_53_rev_5_ra_5_a" { children = [ control.guardduty_enabled, ] - - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) } benchmark "nist_800_53_rev_5_ra_5_4" { @@ -114,7 +127,9 @@ benchmark "nist_800_53_rev_5_ra_5_4" { control.guardduty_enabled, ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) } benchmark "nist_800_53_rev_5_ra_10" { @@ -124,7 +139,9 @@ benchmark "nist_800_53_rev_5_ra_10" { benchmark.nist_800_53_rev_5_ra_10_a, ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) } benchmark "nist_800_53_rev_5_ra_10_a" { @@ -136,7 +153,9 @@ benchmark "nist_800_53_rev_5_ra_10_a" { control.guardduty_enabled, ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) } benchmark "nist_800_53_rev_5_ra_10_a_1" { @@ -146,7 +165,9 @@ benchmark "nist_800_53_rev_5_ra_10_a_1" { control.guardduty_enabled, ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) } benchmark "nist_800_53_rev_5_ra_10_a_2" { @@ -156,5 +177,7 @@ benchmark "nist_800_53_rev_5_ra_10_a_2" { control.guardduty_enabled, ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) } \ No newline at end of file diff --git a/nist_800_53_rev_5/sa.sp b/nist_800_53_rev_5/sa.sp index 86097914..d5b79c29 100644 --- a/nist_800_53_rev_5/sa.sp +++ b/nist_800_53_rev_5/sa.sp @@ -16,10 +16,11 @@ benchmark "nist_800_53_rev_5_sa_1" { description = "The organization develops, disseminates, and periodically reviews/updates: (i) a formal, documented, system and services acquisition policy that includes information security considerations and that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls." children = [ benchmark.nist_800_53_rev_5_sa_1_1 - ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/CloudTrail" + }) } benchmark "nist_800_53_rev_5_sa_1_1" { @@ -29,7 +30,9 @@ benchmark "nist_800_53_rev_5_sa_1_1" { control.cloudtrail_trail_validation_enabled ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/CloudTrail" + }) } benchmark "nist_800_53_rev_5_sa_9" { @@ -39,7 +42,9 @@ benchmark "nist_800_53_rev_5_sa_9" { benchmark.nist_800_53_rev_5_sa_9_6 ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/KMS" + }) } benchmark "nist_800_53_rev_5_sa_9_6" { @@ -50,7 +55,9 @@ benchmark "nist_800_53_rev_5_sa_9_6" { control.kms_cmk_rotation_enabled ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/KMS" + }) } @@ -61,7 +68,9 @@ benchmark "nist_800_53_rev_5_sa_10" { benchmark.nist_800_53_rev_5_sa_10_1 ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/CloudTrail" + }) } benchmark "nist_800_53_rev_5_sa_10_1" { @@ -71,7 +80,9 @@ benchmark "nist_800_53_rev_5_sa_10_1" { control.cloudtrail_trail_validation_enabled ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/CloudTrail" + }) } benchmark "nist_800_53_rev_5_sa_15" { diff --git a/nist_800_53_rev_5/sc.sp b/nist_800_53_rev_5/sc.sp index 37cef716..8bfccccd 100644 --- a/nist_800_53_rev_5/sc.sp +++ b/nist_800_53_rev_5/sc.sp @@ -41,7 +41,9 @@ benchmark "nist_800_53_rev_5_sc_5_a" { control.guardduty_enabled ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) } benchmark "nist_800_53_rev_5_sc_5_b" { @@ -51,7 +53,9 @@ benchmark "nist_800_53_rev_5_sc_5_b" { control.guardduty_enabled ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) } benchmark "nist_800_53_rev_5_sc_5_1" { @@ -61,7 +65,9 @@ benchmark "nist_800_53_rev_5_sc_5_1" { control.guardduty_enabled ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) } benchmark "nist_800_53_rev_5_sc_5_2" { @@ -99,7 +105,9 @@ benchmark "nist_800_53_rev_5_sc_5_3" { benchmark.nist_800_53_rev_5_sc_5_3_b ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) } benchmark "nist_800_53_rev_5_sc_5_3_a" { @@ -109,7 +117,9 @@ benchmark "nist_800_53_rev_5_sc_5_3_a" { control.guardduty_enabled ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) } benchmark "nist_800_53_rev_5_sc_5_3_b" { @@ -119,7 +129,9 @@ benchmark "nist_800_53_rev_5_sc_5_3_b" { control.guardduty_enabled ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) } benchmark "nist_800_53_rev_5_sc_6" { @@ -887,7 +899,9 @@ benchmark "nist_800_53_rev_5_sc_12" { benchmark.nist_800_53_rev_5_sc_12_6 ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/KMS" + }) } benchmark "nist_800_53_rev_5_sc_12_2" { @@ -898,7 +912,9 @@ benchmark "nist_800_53_rev_5_sc_12_2" { control.kms_key_not_pending_deletion ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/KMS" + }) } benchmark "nist_800_53_rev_5_sc_12_6" { @@ -909,7 +925,9 @@ benchmark "nist_800_53_rev_5_sc_12_6" { control.kms_key_not_pending_deletion ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/KMS" + }) } benchmark "nist_800_53_rev_5_sc_13" { @@ -1046,7 +1064,9 @@ benchmark "nist_800_53_rev_5_sc_23_5" { control.elb_application_network_lb_use_ssl_certificate ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/ELB" + }) } benchmark "nist_800_53_rev_5_sc_25" { @@ -1124,7 +1144,9 @@ benchmark "nist_800_53_rev_5_sc_28_2" { control.cloudwatch_log_group_retention_period_365 ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/CloudWatch" + }) } benchmark "nist_800_53_rev_5_sc_36" { @@ -1162,7 +1184,9 @@ benchmark "nist_800_53_rev_5_sc_43" { benchmark.nist_800_53_rev_5_sc_43_b ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) } benchmark "nist_800_53_rev_5_sc_43_b" { @@ -1172,5 +1196,7 @@ benchmark "nist_800_53_rev_5_sc_43_b" { control.guardduty_enabled ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) } \ No newline at end of file diff --git a/nist_800_53_rev_5/si.sp b/nist_800_53_rev_5/si.sp index 629e70ce..3073d83b 100644 --- a/nist_800_53_rev_5/si.sp +++ b/nist_800_53_rev_5/si.sp @@ -237,8 +237,6 @@ benchmark "nist_800_53_rev_5_si_4" { benchmark.nist_800_53_rev_5_si_4_20, benchmark.nist_800_53_rev_5_si_4_23, benchmark.nist_800_53_rev_5_si_4_25 - - ] tags = local.nist_800_53_rev_5_common_tags @@ -314,7 +312,7 @@ benchmark "nist_800_53_rev_5_si_4_d" { ] tags = merge(local.nist_800_53_rev_5_common_tags, { - service = "AWS/GuardDuty" + service = "AWS/CloudTrail" }) } @@ -354,7 +352,9 @@ benchmark "nist_800_53_rev_5_si_4_3" { control.guardduty_enabled, ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) } benchmark "nist_800_53_rev_5_si_4_4" { @@ -375,7 +375,9 @@ benchmark "nist_800_53_rev_5_si_4_4_a" { control.guardduty_enabled, ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) } benchmark "nist_800_53_rev_5_si_4_4_b" { @@ -385,7 +387,9 @@ benchmark "nist_800_53_rev_5_si_4_4_b" { control.guardduty_enabled, ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) } benchmark "nist_800_53_rev_5_si_4_10" { @@ -395,7 +399,9 @@ benchmark "nist_800_53_rev_5_si_4_10" { control.guardduty_enabled, ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) } benchmark "nist_800_53_rev_5_si_4_12" { @@ -405,7 +411,9 @@ benchmark "nist_800_53_rev_5_si_4_12" { control.cloudwatch_alarm_action_enabled, ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/CloudWatch" + }) } benchmark "nist_800_53_rev_5_si_4_13" { @@ -435,7 +443,9 @@ benchmark "nist_800_53_rev_5_si_4_14" { control.guardduty_enabled, ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) } benchmark "nist_800_53_rev_5_si_4_17" { @@ -482,7 +492,9 @@ benchmark "nist_800_53_rev_5_si_4_23" { control.guardduty_enabled ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) } benchmark "nist_800_53_rev_5_si_4_25" { @@ -521,7 +533,7 @@ benchmark "nist_800_53_rev_5_si_5_b" { title = "SI-5(b)" description = "b. Generate internal security alerts, advisories, and directives as deemed necessary;" children = [ - control.cloudwatch_alarm_action_enabled, + control.cloudwatch_alarm_action_enabled, control.guardduty_enabled ] @@ -548,8 +560,9 @@ benchmark "nist_800_53_rev_5_si_7_a" { children = [ control.cloudtrail_trail_validation_enabled, ] - - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/CloudTrail" + }) } benchmark "nist_800_53_rev_5_si_7_1" { @@ -559,7 +572,9 @@ benchmark "nist_800_53_rev_5_si_7_1" { control.cloudtrail_trail_validation_enabled, ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/CloudTrail" + }) } benchmark "nist_800_53_rev_5_si_7_3" { @@ -569,7 +584,9 @@ benchmark "nist_800_53_rev_5_si_7_3" { control.cloudtrail_trail_validation_enabled, ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/CloudTrail" + }) } benchmark "nist_800_53_rev_5_si_7_7" { @@ -579,7 +596,9 @@ benchmark "nist_800_53_rev_5_si_7_7" { control.cloudtrail_trail_validation_enabled, ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/CloudTrail" + }) } benchmark "nist_800_53_rev_5_si_7_8" { @@ -645,7 +664,9 @@ benchmark "nist_800_53_rev_5_si_12" { control.cloudwatch_log_group_retention_period_365, ] - tags = local.nist_800_53_rev_5_common_tags + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/CloudWatch" + }) } benchmark "nist_800_53_rev_5_si_13" { From 160f6ebdf6dbe6aa280b981f1918c3c7c1e3cadf Mon Sep 17 00:00:00 2001 From: Khushboo Date: Fri, 27 May 2022 20:17:17 +0530 Subject: [PATCH 12/20] minor updates --- nist_800_53_rev_5/ac.sp | 7 +------ nist_800_53_rev_5/cp.sp | 6 +----- 2 files changed, 2 insertions(+), 11 deletions(-) diff --git a/nist_800_53_rev_5/ac.sp b/nist_800_53_rev_5/ac.sp index 9cddc710..eba1446f 100644 --- a/nist_800_53_rev_5/ac.sp +++ b/nist_800_53_rev_5/ac.sp @@ -612,7 +612,6 @@ benchmark "nist_800_53_rev_5_ac_3_4_b" { control.iam_root_user_mfa_enabled, control.secretsmanager_secret_automatic_rotation_enabled, control.secretsmanager_secret_rotated_as_scheduled, - benchmark.nist_800_53_rev_5_ac_3_4_a ] @@ -639,8 +638,6 @@ benchmark "nist_800_53_rev_5_ac_3_4_c" { control.iam_root_user_mfa_enabled, control.secretsmanager_secret_automatic_rotation_enabled, control.secretsmanager_secret_rotated_as_scheduled, - benchmark.nist_800_53_rev_5_ac_3_4_a - ] tags = local.nist_800_53_rev_5_common_tags @@ -666,8 +663,6 @@ benchmark "nist_800_53_rev_5_ac_3_4_d" { control.iam_root_user_mfa_enabled, control.secretsmanager_secret_automatic_rotation_enabled, control.secretsmanager_secret_rotated_as_scheduled, - benchmark.nist_800_53_rev_5_ac_3_4_a - ] tags = local.nist_800_53_rev_5_common_tags @@ -1225,7 +1220,7 @@ benchmark "nist_800_53_rev_5_ac_17" { } benchmark "nist_800_53_rev_5_ac_17_b" { - title = "AC-17b" + title = "AC-17(b)" description = "b. Authorize each type of remote access to the system prior to allowing such connections." children = [ control.vpc_security_group_restrict_ingress_ssh_all, diff --git a/nist_800_53_rev_5/cp.sp b/nist_800_53_rev_5/cp.sp index 6c7cb02d..987fcc5e 100644 --- a/nist_800_53_rev_5/cp.sp +++ b/nist_800_53_rev_5/cp.sp @@ -155,8 +155,6 @@ benchmark "nist_800_53_rev_5_cp_2_d" { control.elb_application_lb_deletion_protection_enabled, control.rds_db_instance_multiple_az_enabled, control.vpc_vpn_tunnel_up, - benchmark.nist_800_53_rev_5_cp_2_a_6, - benchmark.nist_800_53_rev_5_cp_2_a_7 ] tags = local.nist_800_53_rev_5_common_tags @@ -172,8 +170,6 @@ benchmark "nist_800_53_rev_5_cp_2_e" { control.elb_application_lb_deletion_protection_enabled, control.rds_db_instance_multiple_az_enabled, control.vpc_vpn_tunnel_up, - benchmark.nist_800_53_rev_5_cp_2_a_6, - benchmark.nist_800_53_rev_5_cp_2_a_7 ] tags = local.nist_800_53_rev_5_common_tags @@ -433,7 +429,7 @@ benchmark "nist_800_53_rev_5_cp_10" { } benchmark "nist_800_53_rev_5_cp_10_2" { - title = "CP-10(2) Transaction Recovery (CP-10)" + title = "CP-10(2) Transaction Recovery" description = "Implement transaction recovery for systems that are transaction-based." children = [ control.dynamodb_table_in_backup_plan, From 01ef777c885cc0ad069230d96e0d2e177d21c5d6 Mon Sep 17 00:00:00 2001 From: Khushboo Date: Tue, 31 May 2022 16:34:35 +0530 Subject: [PATCH 13/20] update --- nist_800_53_rev_5/ac.sp | 667 ++++++++++++++++++++------------------- nist_800_53_rev_5/au.sp | 317 ++++++++++--------- nist_800_53_rev_5/ca.sp | 52 ++-- nist_800_53_rev_5/cm.sp | 171 +++++----- nist_800_53_rev_5/cp.sp | 158 +++++----- nist_800_53_rev_5/ia.sp | 46 +-- nist_800_53_rev_5/ma.sp | 10 +- nist_800_53_rev_5/mp.sp | 10 +- nist_800_53_rev_5/pm.sp | 84 ++--- nist_800_53_rev_5/ra.sp | 33 +- nist_800_53_rev_5/sa.sp | 1 - nist_800_53_rev_5/sc.sp | 669 ++++++++++++++++++++-------------------- nist_800_53_rev_5/si.sp | 190 ++++++------ 13 files changed, 1192 insertions(+), 1216 deletions(-) diff --git a/nist_800_53_rev_5/ac.sp b/nist_800_53_rev_5/ac.sp index eba1446f..dba85a20 100644 --- a/nist_800_53_rev_5/ac.sp +++ b/nist_800_53_rev_5/ac.sp @@ -1,6 +1,6 @@ benchmark "nist_800_53_rev_5_ac" { - title = benchmark.nist_800_53_rev_4_ac.title - description = benchmark.nist_800_53_rev_4_ac.description + title = "Access Control (AC)" + description = "The access control family consists of security requirements detailing system logging. This includes who has access to what assets and reporting capabilities like account management, system privileges, and remote access logging to determine when users have access to the system and their level of access." children = [ benchmark.nist_800_53_rev_5_ac_2, benchmark.nist_800_53_rev_5_ac_3, @@ -17,8 +17,8 @@ benchmark "nist_800_53_rev_5_ac" { } benchmark "nist_800_53_rev_5_ac_2" { - title = benchmark.nist_800_53_rev_4_ac_2.title - description = benchmark.nist_800_53_rev_4_ac_2.description + title = "Account Management (AC-2)" + description = "Manage system accounts, group memberships, privileges, workflow, notifications, deactivations, and authorizations." children = [ benchmark.nist_800_53_rev_5_ac_2_1, benchmark.nist_800_53_rev_5_ac_2_3, @@ -26,84 +26,33 @@ benchmark "nist_800_53_rev_5_ac_2" { benchmark.nist_800_53_rev_5_ac_2_6, benchmark.nist_800_53_rev_5_ac_2_12, benchmark.nist_800_53_rev_5_ac_2_d_1, - benchmark.nist_800_53_rev_5_ac_2_i_2, benchmark.nist_800_53_rev_5_ac_2_g, + benchmark.nist_800_53_rev_5_ac_2_i_2, benchmark.nist_800_53_rev_5_ac_2_j, ] tags = local.nist_800_53_rev_5_common_tags } -benchmark "nist_800_53_rev_5_ac_2_d_1" { - title = "AC-2(d)(1)" - description = "d. Specify: 1. Authorized users of the system;personnel termination and transfer processes." - children = [ - control.iam_account_password_policy_min_length_14 - ] - - tags = merge(local.nist_800_53_rev_5_common_tags, { - service = "AWS/IAM" - }) -} - -benchmark "nist_800_53_rev_5_ac_2_g" { - title = "AC-2(g)" - description = "The organization: g. Monitors the use of information system accounts." - children = [ - control.iam_user_unused_credentials_90 - ] - - tags = merge(local.nist_800_53_rev_5_common_tags, { - service = "AWS/IAM" - }) -} - -benchmark "nist_800_53_rev_5_ac_2_i_2" { - title = "AC-2(i)(2)" - description = "i. Authorize access to the system based on: 2. Intended system usage;" - children = [ - control.iam_group_user_role_no_inline_policies, - control.iam_policy_no_star_star, - control.iam_user_in_group, - control.iam_user_no_inline_attached_policies - ] - - tags = merge(local.nist_800_53_rev_5_common_tags, { - service = "AWS/IAM" - }) -} - -benchmark "nist_800_53_rev_5_ac_2_j" { - title = "AC-2(j)" - description = "The organization: j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]." - children = [ - control.iam_user_unused_credentials_90, - ] - - tags = merge(local.nist_800_53_rev_5_common_tags, { - service = "AWS/IAM" - }) -} - benchmark "nist_800_53_rev_5_ac_2_1" { title = "AC-2(1) Automated System Account Management" description = "Support the management of system accounts using [Assignment: organization-defined automated mechanisms]." children = [ - control.iam_group_user_role_no_inline_policies, - control.iam_user_access_key_age_90, control.iam_account_password_policy_min_length_14, + control.iam_group_user_role_no_inline_policies, control.iam_policy_no_star_star, - control.secretsmanager_secret_unused_90_day, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, control.iam_root_user_no_access_keys, + control.iam_user_access_key_age_90, + control.iam_user_console_access_mfa_enabled, control.iam_user_in_group, control.iam_user_mfa_enabled, control.iam_user_no_inline_attached_policies, control.iam_user_unused_credentials_90, - control.iam_user_console_access_mfa_enabled, - control.iam_root_user_hardware_mfa_enabled, - control.iam_root_user_mfa_enabled, control.secretsmanager_secret_automatic_rotation_enabled, - control.secretsmanager_secret_rotated_as_scheduled + control.secretsmanager_secret_rotated_as_scheduled, + control.secretsmanager_secret_unused_90_day, ] tags = local.nist_800_53_rev_5_common_tags @@ -194,14 +143,14 @@ benchmark "nist_800_53_rev_5_ac_2_6" { title = "AC-2(6) Dynamic Privilege Management" description = "Implement [Assignment: organization-defined dynamic privilege management capabilities]." children = [ - control.ec2_instance_uses_imdsv2, - control.iam_group_user_role_no_inline_policies, - control.ec2_instance_in_vpc, control.dms_replication_instance_not_publicly_accessible, control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_in_vpc, control.ec2_instance_not_publicly_accessible, - control.es_domain_in_vpc, + control.ec2_instance_uses_imdsv2, control.emr_cluster_master_nodes_no_public_ip, + control.es_domain_in_vpc, + control.iam_group_user_role_no_inline_policies, control.iam_policy_no_star_star, control.iam_root_user_no_access_keys, control.iam_user_in_group, @@ -224,8 +173,8 @@ benchmark "nist_800_53_rev_5_ac_2_6" { } benchmark "nist_800_53_rev_5_ac_2_12" { - title = benchmark.nist_800_53_rev_4_ac_2_12.title - description = benchmark.nist_800_53_rev_4_ac_2_12.description + title = "AC-2(12) Account Monitoring" + description = "Monitors and reports atypical usage of information system accounts to organization-defined personnel or roles." children = [ benchmark.nist_800_53_rev_5_ac_2_12_a ] @@ -235,7 +184,7 @@ benchmark "nist_800_53_rev_5_ac_2_12" { benchmark "nist_800_53_rev_5_ac_2_12_a" { title = "AC-2(12)(a)" - description = "(a) Monitor system accounts for [Assignment: organization-defined atypical usage]" + description = "(a) Monitor system accounts for [Assignment: organization-defined atypical usage]." children = [ control.guardduty_enabled, ] @@ -245,27 +194,88 @@ benchmark "nist_800_53_rev_5_ac_2_12_a" { }) } +benchmark "nist_800_53_rev_5_ac_2_d_1" { + title = "AC-2(d)(1)" + description = "d. Specify: 1. Authorized users of the system;personnel termination and transfer processes." + children = [ + control.iam_account_password_policy_min_length_14 + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) +} + +benchmark "nist_800_53_rev_5_ac_2_g" { + title = "AC-2(g)" + description = "The organization: g. Monitors the use of information system accounts." + children = [ + control.iam_user_unused_credentials_90 + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) +} + +benchmark "nist_800_53_rev_5_ac_2_i_2" { + title = "AC-2(i)(2)" + description = "i. Authorize access to the system based on: 2. Intended system usage." + children = [ + control.iam_group_user_role_no_inline_policies, + control.iam_policy_no_star_star, + control.iam_user_in_group, + control.iam_user_no_inline_attached_policies + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) +} + +benchmark "nist_800_53_rev_5_ac_2_j" { + title = "AC-2(j)" + description = "The organization: j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]." + children = [ + control.iam_user_unused_credentials_90, + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/IAM" + }) +} + benchmark "nist_800_53_rev_5_ac_3" { title = "Access Enforcement (AC-3)" description = "Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies." children = [ + benchmark.nist_800_53_rev_5_ac_3_1, + benchmark.nist_800_53_rev_5_ac_3_2, + benchmark.nist_800_53_rev_5_ac_3_3, + benchmark.nist_800_53_rev_5_ac_3_4, + benchmark.nist_800_53_rev_5_ac_3_7, + benchmark.nist_800_53_rev_5_ac_3_8, + benchmark.nist_800_53_rev_5_ac_3_10, + benchmark.nist_800_53_rev_5_ac_3_12, + benchmark.nist_800_53_rev_5_ac_3_13, + benchmark.nist_800_53_rev_5_ac_3_15, control.autoscaling_launch_config_public_ip_disabled, - control.ec2_instance_uses_imdsv2, - control.ec2_instance_iam_profile_attached, - control.ecs_task_definition_user_for_host_mode_check, - control.iam_group_user_role_no_inline_policies, - control.iam_all_policy_no_service_wild_card, control.dms_replication_instance_not_publicly_accessible, control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_iam_profile_attached, control.ec2_instance_not_publicly_accessible, - control.es_domain_in_vpc, + control.ec2_instance_uses_imdsv2, + control.ecs_task_definition_user_for_host_mode_check, control.emr_cluster_master_nodes_no_public_ip, + control.es_domain_in_vpc, + control.iam_all_policy_no_service_wild_card, + control.iam_group_user_role_no_inline_policies, control.iam_policy_no_star_star, control.iam_user_in_group, control.iam_user_no_inline_attached_policies, control.iam_user_unused_credentials_90, - control.lambda_function_restrict_public_access, control.lambda_function_in_vpc, + control.lambda_function_restrict_public_access, control.rds_db_instance_prohibit_public_access, control.rds_db_snapshot_prohibit_public_access, control.redshift_cluster_prohibit_public_access, @@ -275,16 +285,6 @@ benchmark "nist_800_53_rev_5_ac_3" { control.s3_public_access_block_bucket, control.sagemaker_notebook_instance_direct_internet_access_disabled, control.vpc_subnet_auto_assign_public_ip_disabled, - benchmark.nist_800_53_rev_5_ac_3_1, - benchmark.nist_800_53_rev_5_ac_3_2, - benchmark.nist_800_53_rev_5_ac_3_3, - benchmark.nist_800_53_rev_5_ac_3_4, - benchmark.nist_800_53_rev_5_ac_3_7, - benchmark.nist_800_53_rev_5_ac_3_8, - benchmark.nist_800_53_rev_5_ac_3_10, - benchmark.nist_800_53_rev_5_ac_3_12, - benchmark.nist_800_53_rev_5_ac_3_13, - benchmark.nist_800_53_rev_5_ac_3_15 ] tags = local.nist_800_53_rev_5_common_tags @@ -310,10 +310,10 @@ benchmark "nist_800_53_rev_5_ac_3_2" { title = "AC-3(2) Dual Authorization" description = "Enforce dual authorization for [Assignment: organization-defined privileged commands and/or other organization-defined actions]." children = [ - control.iam_user_mfa_enabled, - control.iam_user_console_access_mfa_enabled, control.iam_root_user_hardware_mfa_enabled, - control.iam_root_user_mfa_enabled + control.iam_root_user_mfa_enabled, + control.iam_user_console_access_mfa_enabled, + control.iam_user_mfa_enabled ] tags = merge(local.nist_800_53_rev_5_common_tags, { @@ -325,29 +325,29 @@ benchmark "nist_800_53_rev_5_ac_3_3" { title = "AC-3(3) Mandatory Access Control" description = "Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy, and where the policy: (a) Is uniformly enforced across the covered subjects and objects within the system; (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (1) Passing the information to unauthorized subjects or objects; (2) Granting its privileges to other subjects; (3) Changing one or more security attributes (specified by the policy) on subjects, objects, the system, or system components; (4) Choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects; and (5) Changing the rules governing access control; and (c) Specifies that [Assignment: organization-defined subjects] may explicitly be granted [Assignment: organization-defined privileges] such that they are not limited by any defined subset (or all) of the above constraints." children = [ + benchmark.nist_800_53_rev_5_ac_3_3_a, + benchmark.nist_800_53_rev_5_ac_3_3_b_1, + benchmark.nist_800_53_rev_5_ac_3_3_b_2, + benchmark.nist_800_53_rev_5_ac_3_3_b_3, + benchmark.nist_800_53_rev_5_ac_3_3_b_4, + benchmark.nist_800_53_rev_5_ac_3_3_b_5, + benchmark.nist_800_53_rev_5_ac_3_3_c, control.ec2_instance_uses_imdsv2, - control.iam_group_user_role_no_inline_policies, - control.secretsmanager_secret_unused_90_day, - control.iam_user_access_key_age_90, control.iam_account_password_policy_min_length_14, + control.iam_group_user_role_no_inline_policies, control.iam_policy_no_star_star, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, control.iam_root_user_no_access_keys, + control.iam_user_access_key_age_90, + control.iam_user_console_access_mfa_enabled, control.iam_user_in_group, control.iam_user_mfa_enabled, control.iam_user_no_inline_attached_policies, control.iam_user_unused_credentials_90, - control.iam_user_console_access_mfa_enabled, - control.iam_root_user_hardware_mfa_enabled, - control.iam_root_user_mfa_enabled, control.secretsmanager_secret_automatic_rotation_enabled, control.secretsmanager_secret_rotated_as_scheduled, - benchmark.nist_800_53_rev_5_ac_3_3_a, - benchmark.nist_800_53_rev_5_ac_3_3_b_1, - benchmark.nist_800_53_rev_5_ac_3_3_b_2, - benchmark.nist_800_53_rev_5_ac_3_3_b_3, - benchmark.nist_800_53_rev_5_ac_3_3_b_4, - benchmark.nist_800_53_rev_5_ac_3_3_b_5, - benchmark.nist_800_53_rev_5_ac_3_3_c, + control.secretsmanager_secret_unused_90_day ] @@ -359,21 +359,21 @@ benchmark "nist_800_53_rev_5_ac_3_3_a" { description = "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (a) Is uniformly enforced across the covered subjects and objects within the system;" children = [ control.ec2_instance_uses_imdsv2, - control.iam_group_user_role_no_inline_policies, - control.iam_user_access_key_age_90, control.iam_account_password_policy_min_length_14, - control.secretsmanager_secret_unused_90_day, + control.iam_group_user_role_no_inline_policies, control.iam_policy_no_star_star, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, control.iam_root_user_no_access_keys, + control.iam_user_access_key_age_90, + control.iam_user_console_access_mfa_enabled, control.iam_user_in_group, control.iam_user_mfa_enabled, control.iam_user_no_inline_attached_policies, control.iam_user_unused_credentials_90, - control.iam_user_console_access_mfa_enabled, - control.iam_root_user_hardware_mfa_enabled, - control.iam_root_user_mfa_enabled, control.secretsmanager_secret_automatic_rotation_enabled, - control.secretsmanager_secret_rotated_as_scheduled + control.secretsmanager_secret_rotated_as_scheduled, + control.secretsmanager_secret_unused_90_day ] @@ -382,24 +382,24 @@ benchmark "nist_800_53_rev_5_ac_3_3_a" { benchmark "nist_800_53_rev_5_ac_3_3_b_1" { title = "AC-3(3)(b)(1)" - description = "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (1) Passing the information to unauthorized subjects or objects;" + description = "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (1) Passing the information to unauthorized subjects or objects." children = [ control.ec2_instance_uses_imdsv2, - control.iam_group_user_role_no_inline_policies, - control.iam_user_access_key_age_90, - control.secretsmanager_secret_unused_90_day, control.iam_account_password_policy_min_length_14, + control.iam_group_user_role_no_inline_policies, control.iam_policy_no_star_star, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, control.iam_root_user_no_access_keys, + control.iam_user_access_key_age_90, + control.iam_user_console_access_mfa_enabled, control.iam_user_in_group, control.iam_user_mfa_enabled, control.iam_user_no_inline_attached_policies, control.iam_user_unused_credentials_90, - control.iam_user_console_access_mfa_enabled, - control.iam_root_user_hardware_mfa_enabled, - control.iam_root_user_mfa_enabled, control.secretsmanager_secret_automatic_rotation_enabled, - control.secretsmanager_secret_rotated_as_scheduled + control.secretsmanager_secret_rotated_as_scheduled, + control.secretsmanager_secret_unused_90_day ] @@ -411,22 +411,21 @@ benchmark "nist_800_53_rev_5_ac_3_3_b_2" { description = "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (2) Granting its privileges to other subjects;" children = [ control.ec2_instance_uses_imdsv2, - control.iam_group_user_role_no_inline_policies, - control.iam_user_access_key_age_90, - control.secretsmanager_secret_unused_90_day, control.iam_account_password_policy_min_length_14, + control.iam_group_user_role_no_inline_policies, control.iam_policy_no_star_star, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, control.iam_root_user_no_access_keys, + control.iam_user_access_key_age_90, + control.iam_user_console_access_mfa_enabled, control.iam_user_in_group, control.iam_user_mfa_enabled, control.iam_user_no_inline_attached_policies, control.iam_user_unused_credentials_90, - control.iam_user_console_access_mfa_enabled, - control.iam_root_user_hardware_mfa_enabled, - control.iam_root_user_mfa_enabled, control.secretsmanager_secret_automatic_rotation_enabled, - control.secretsmanager_secret_rotated_as_scheduled - + control.secretsmanager_secret_rotated_as_scheduled, + control.secretsmanager_secret_unused_90_day ] tags = local.nist_800_53_rev_5_common_tags @@ -434,25 +433,24 @@ benchmark "nist_800_53_rev_5_ac_3_3_b_2" { benchmark "nist_800_53_rev_5_ac_3_3_b_3" { title = "AC-3(3)(b)(3)" - description = "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (3) Changing one or more security attributes (specified by the policy) on subjects, objects, the system, or system components;" + description = "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (3) Changing one or more security attributes (specified by the policy) on subjects, objects, the system, or system components." children = [ control.ec2_instance_uses_imdsv2, - control.iam_group_user_role_no_inline_policies, - control.iam_user_access_key_age_90, control.iam_account_password_policy_min_length_14, + control.iam_group_user_role_no_inline_policies, control.iam_policy_no_star_star, - control.secretsmanager_secret_unused_90_day, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, control.iam_root_user_no_access_keys, + control.iam_user_access_key_age_90, + control.iam_user_console_access_mfa_enabled, control.iam_user_in_group, control.iam_user_mfa_enabled, control.iam_user_no_inline_attached_policies, control.iam_user_unused_credentials_90, - control.iam_user_console_access_mfa_enabled, - control.iam_root_user_hardware_mfa_enabled, - control.iam_root_user_mfa_enabled, control.secretsmanager_secret_automatic_rotation_enabled, - control.secretsmanager_secret_rotated_as_scheduled - + control.secretsmanager_secret_rotated_as_scheduled, + control.secretsmanager_secret_unused_90_day, ] tags = local.nist_800_53_rev_5_common_tags @@ -463,22 +461,21 @@ benchmark "nist_800_53_rev_5_ac_3_3_b_4" { description = "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (4) Choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects;" children = [ control.ec2_instance_uses_imdsv2, - control.iam_group_user_role_no_inline_policies, - control.iam_user_access_key_age_90, control.iam_account_password_policy_min_length_14, + control.iam_group_user_role_no_inline_policies, control.iam_policy_no_star_star, - control.secretsmanager_secret_unused_90_day, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, control.iam_root_user_no_access_keys, + control.iam_user_access_key_age_90, + control.iam_user_console_access_mfa_enabled, control.iam_user_in_group, control.iam_user_mfa_enabled, control.iam_user_no_inline_attached_policies, control.iam_user_unused_credentials_90, - control.iam_user_console_access_mfa_enabled, - control.iam_root_user_hardware_mfa_enabled, - control.iam_root_user_mfa_enabled, control.secretsmanager_secret_automatic_rotation_enabled, - control.secretsmanager_secret_rotated_as_scheduled - + control.secretsmanager_secret_rotated_as_scheduled, + control.secretsmanager_secret_unused_90_day, ] tags = local.nist_800_53_rev_5_common_tags @@ -489,22 +486,21 @@ benchmark "nist_800_53_rev_5_ac_3_3_b_5" { description = "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (5) Changing the rules governing access;" children = [ control.ec2_instance_uses_imdsv2, - control.iam_group_user_role_no_inline_policies, - control.iam_user_access_key_age_90, - control.secretsmanager_secret_unused_90_day, control.iam_account_password_policy_min_length_14, + control.iam_group_user_role_no_inline_policies, control.iam_policy_no_star_star, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, control.iam_root_user_no_access_keys, + control.iam_user_access_key_age_90, + control.iam_user_console_access_mfa_enabled, control.iam_user_in_group, control.iam_user_mfa_enabled, control.iam_user_no_inline_attached_policies, control.iam_user_unused_credentials_90, - control.iam_user_console_access_mfa_enabled, - control.iam_root_user_hardware_mfa_enabled, - control.iam_root_user_mfa_enabled, control.secretsmanager_secret_automatic_rotation_enabled, - control.secretsmanager_secret_rotated_as_scheduled - + control.secretsmanager_secret_rotated_as_scheduled, + control.secretsmanager_secret_unused_90_day, ] tags = local.nist_800_53_rev_5_common_tags @@ -515,22 +511,21 @@ benchmark "nist_800_53_rev_5_ac_3_3_c" { description = "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (c) Specifies that [Assignment: organization-defined subjects] may explicitly be granted [Assignment: organization-defined privileges] such that they are not limited by any defined subset (or all) of the above constraints." children = [ control.ec2_instance_uses_imdsv2, - control.iam_group_user_role_no_inline_policies, - control.iam_user_access_key_age_90, - control.secretsmanager_secret_unused_90_day, control.iam_account_password_policy_min_length_14, + control.iam_group_user_role_no_inline_policies, control.iam_policy_no_star_star, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, control.iam_root_user_no_access_keys, + control.iam_user_access_key_age_90, + control.iam_user_console_access_mfa_enabled, control.iam_user_in_group, control.iam_user_mfa_enabled, control.iam_user_no_inline_attached_policies, control.iam_user_unused_credentials_90, - control.iam_user_console_access_mfa_enabled, - control.iam_root_user_hardware_mfa_enabled, - control.iam_root_user_mfa_enabled, control.secretsmanager_secret_automatic_rotation_enabled, - control.secretsmanager_secret_rotated_as_scheduled - + control.secretsmanager_secret_rotated_as_scheduled, + control.secretsmanager_secret_unused_90_day ] tags = local.nist_800_53_rev_5_common_tags @@ -540,28 +535,27 @@ benchmark "nist_800_53_rev_5_ac_3_4" { title = "AC-3(4) Discretionary Access Control" description = "Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (a) Pass the information to any other subjects or objects; (b) Grant its privileges to other subjects; (c) Change security attributes on subjects, objects, the system, or the system’s components; (d) Choose the security attributes to be associated with newly created or revised objects; or (e) Change the rules governing access control." children = [ + benchmark.nist_800_53_rev_5_ac_3_4_a, + benchmark.nist_800_53_rev_5_ac_3_4_b, + benchmark.nist_800_53_rev_5_ac_3_4_c, + benchmark.nist_800_53_rev_5_ac_3_4_d, + benchmark.nist_800_53_rev_5_ac_3_4_e, control.ec2_instance_uses_imdsv2, - control.iam_group_user_role_no_inline_policies, - control.iam_user_access_key_age_90, - control.secretsmanager_secret_unused_90_day, control.iam_account_password_policy_min_length_14, + control.iam_group_user_role_no_inline_policies, control.iam_policy_no_star_star, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, control.iam_root_user_no_access_keys, + control.iam_user_access_key_age_90, + control.iam_user_console_access_mfa_enabled, control.iam_user_in_group, control.iam_user_mfa_enabled, control.iam_user_no_inline_attached_policies, control.iam_user_unused_credentials_90, - control.iam_user_console_access_mfa_enabled, - control.iam_root_user_hardware_mfa_enabled, - control.iam_root_user_mfa_enabled, control.secretsmanager_secret_automatic_rotation_enabled, control.secretsmanager_secret_rotated_as_scheduled, - benchmark.nist_800_53_rev_5_ac_3_4_a, - benchmark.nist_800_53_rev_5_ac_3_4_b, - benchmark.nist_800_53_rev_5_ac_3_4_c, - benchmark. nist_800_53_rev_5_ac_3_4_d, - benchmark.nist_800_53_rev_5_ac_3_4_e - + control.secretsmanager_secret_unused_90_day ] tags = local.nist_800_53_rev_5_common_tags @@ -569,24 +563,24 @@ benchmark "nist_800_53_rev_5_ac_3_4" { benchmark "nist_800_53_rev_5_ac_3_4_a" { title = "AC-3(4)(a)" - description = "Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (a) Pass the information to any other subjects or objects;" + description = "Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (a) Pass the information to any other subjects or objects." children = [ control.ec2_instance_uses_imdsv2, - control.iam_group_user_role_no_inline_policies, - control.secretsmanager_secret_unused_90_day, - control.iam_user_access_key_age_90, control.iam_account_password_policy_min_length_14, + control.iam_group_user_role_no_inline_policies, control.iam_policy_no_star_star, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, control.iam_root_user_no_access_keys, + control.iam_user_access_key_age_90, + control.iam_user_console_access_mfa_enabled, control.iam_user_in_group, control.iam_user_mfa_enabled, control.iam_user_no_inline_attached_policies, control.iam_user_unused_credentials_90, - control.iam_user_console_access_mfa_enabled, - control.iam_root_user_hardware_mfa_enabled, - control.iam_root_user_mfa_enabled, control.secretsmanager_secret_automatic_rotation_enabled, control.secretsmanager_secret_rotated_as_scheduled, + control.secretsmanager_secret_unused_90_day ] tags = local.nist_800_53_rev_5_common_tags @@ -596,23 +590,22 @@ benchmark "nist_800_53_rev_5_ac_3_4_b" { title = "AC-3(4)(b)" description = "Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (b) Grant its privileges to other subjects;" children = [ - control.ec2_instance_uses_imdsv2, - control.iam_group_user_role_no_inline_policies, control.secretsmanager_secret_unused_90_day, - control.iam_user_access_key_age_90, - control.iam_account_password_policy_min_length_14, - control.iam_policy_no_star_star, - control.iam_root_user_no_access_keys, - control.iam_user_in_group, - control.iam_user_mfa_enabled, - control.iam_user_no_inline_attached_policies, + control.secretsmanager_secret_rotated_as_scheduled, + control.secretsmanager_secret_automatic_rotation_enabled, control.iam_user_unused_credentials_90, + control.iam_user_no_inline_attached_policies, + control.iam_user_mfa_enabled, + control.iam_user_in_group, control.iam_user_console_access_mfa_enabled, - control.iam_root_user_hardware_mfa_enabled, + control.iam_user_access_key_age_90, + control.iam_root_user_no_access_keys, control.iam_root_user_mfa_enabled, - control.secretsmanager_secret_automatic_rotation_enabled, - control.secretsmanager_secret_rotated_as_scheduled, - + control.iam_root_user_hardware_mfa_enabled, + control.iam_policy_no_star_star, + control.iam_group_user_role_no_inline_policies, + control.iam_account_password_policy_min_length_14, + control.ec2_instance_uses_imdsv2 ] tags = local.nist_800_53_rev_5_common_tags @@ -623,21 +616,21 @@ benchmark "nist_800_53_rev_5_ac_3_4_c" { description = "Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (c) Change security attributes on subjects, objects, the system, or the system’s components;" children = [ control.ec2_instance_uses_imdsv2, - control.iam_group_user_role_no_inline_policies, - control.secretsmanager_secret_unused_90_day, - control.iam_user_access_key_age_90, control.iam_account_password_policy_min_length_14, + control.iam_group_user_role_no_inline_policies, control.iam_policy_no_star_star, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, control.iam_root_user_no_access_keys, + control.iam_user_access_key_age_90, + control.iam_user_console_access_mfa_enabled, control.iam_user_in_group, control.iam_user_mfa_enabled, control.iam_user_no_inline_attached_policies, - control.iam_user_unused_credentials_90, - control.iam_user_console_access_mfa_enabled, - control.iam_root_user_hardware_mfa_enabled, - control.iam_root_user_mfa_enabled, + control.iam_user_unused_credentials_90, control.secretsmanager_secret_automatic_rotation_enabled, control.secretsmanager_secret_rotated_as_scheduled, + control.secretsmanager_secret_unused_90_day, ] tags = local.nist_800_53_rev_5_common_tags @@ -648,21 +641,21 @@ benchmark "nist_800_53_rev_5_ac_3_4_d" { description = "Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (d) Choose the security attributes to be associated with newly created or revised objects;" children = [ control.ec2_instance_uses_imdsv2, - control.iam_group_user_role_no_inline_policies, - control.iam_user_access_key_age_90, control.iam_account_password_policy_min_length_14, - control.secretsmanager_secret_unused_90_day, + control.iam_group_user_role_no_inline_policies, control.iam_policy_no_star_star, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, control.iam_root_user_no_access_keys, + control.iam_user_access_key_age_90, + control.iam_user_console_access_mfa_enabled, control.iam_user_in_group, control.iam_user_mfa_enabled, control.iam_user_no_inline_attached_policies, control.iam_user_unused_credentials_90, - control.iam_user_console_access_mfa_enabled, - control.iam_root_user_hardware_mfa_enabled, - control.iam_root_user_mfa_enabled, control.secretsmanager_secret_automatic_rotation_enabled, control.secretsmanager_secret_rotated_as_scheduled, + control.secretsmanager_secret_unused_90_day, ] tags = local.nist_800_53_rev_5_common_tags @@ -673,21 +666,21 @@ benchmark "nist_800_53_rev_5_ac_3_4_e" { description = "Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (e) Change the rules governing access." children = [ control.ec2_instance_uses_imdsv2, - control.iam_group_user_role_no_inline_policies, - control.iam_user_access_key_age_90, control.iam_account_password_policy_min_length_14, - control.secretsmanager_secret_unused_90_day, + control.iam_group_user_role_no_inline_policies, control.iam_policy_no_star_star, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, control.iam_root_user_no_access_keys, + control.iam_user_access_key_age_90, + control.iam_user_console_access_mfa_enabled, control.iam_user_in_group, control.iam_user_mfa_enabled, control.iam_user_no_inline_attached_policies, control.iam_user_unused_credentials_90, - control.iam_user_console_access_mfa_enabled, - control.iam_root_user_hardware_mfa_enabled, - control.iam_root_user_mfa_enabled, control.secretsmanager_secret_automatic_rotation_enabled, control.secretsmanager_secret_rotated_as_scheduled, + control.secretsmanager_secret_unused_90_day, ] tags = local.nist_800_53_rev_5_common_tags @@ -697,15 +690,16 @@ benchmark "nist_800_53_rev_5_ac_3_7" { title = "AC-3(7) Role-Based Access Control" description = "Enforce a role-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined roles and users authorized to assume such roles]." children = [ - control.ec2_instance_uses_imdsv2, - control.iam_group_user_role_no_inline_policies, - control.ec2_instance_in_vpc, + control.s3_bucket_restrict_public_read_access, control.dms_replication_instance_not_publicly_accessible, control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_in_vpc, control.ec2_instance_not_publicly_accessible, + control.ec2_instance_uses_imdsv2, + control.emr_cluster_master_nodes_no_public_ip, control.es_domain_in_vpc, + control.iam_group_user_role_no_inline_policies, control.iam_policy_no_star_star, - control.emr_cluster_master_nodes_no_public_ip, control.iam_root_user_no_access_keys, control.iam_user_in_group, control.iam_user_no_inline_attached_policies, @@ -715,13 +709,11 @@ benchmark "nist_800_53_rev_5_ac_3_7" { control.rds_db_instance_prohibit_public_access, control.rds_db_snapshot_prohibit_public_access, control.redshift_cluster_prohibit_public_access, - control.s3_bucket_restrict_public_read_access, control.s3_bucket_restrict_public_write_access, control.s3_public_access_block_account, control.s3_public_access_block_bucket, control.sagemaker_notebook_instance_direct_internet_access_disabled, control.vpc_subnet_auto_assign_public_ip_disabled, - ] tags = local.nist_800_53_rev_5_common_tags @@ -732,22 +724,21 @@ benchmark "nist_800_53_rev_5_ac_3_8" { description = "Enforce the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on [Assignment: organization-defined rules governing the timing of revocations of access authorizations]." children = [ control.ec2_instance_uses_imdsv2, - control.iam_group_user_role_no_inline_policies, - control.iam_user_access_key_age_90, control.iam_account_password_policy_min_length_14, - control.secretsmanager_secret_unused_90_day, + control.iam_group_user_role_no_inline_policies, control.iam_policy_no_star_star, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, control.iam_root_user_no_access_keys, + control.iam_user_access_key_age_90, + control.iam_user_console_access_mfa_enabled, control.iam_user_in_group, control.iam_user_mfa_enabled, control.iam_user_no_inline_attached_policies, control.iam_user_unused_credentials_90, - control.iam_user_console_access_mfa_enabled, - control.iam_root_user_hardware_mfa_enabled, - control.iam_root_user_mfa_enabled, control.secretsmanager_secret_automatic_rotation_enabled, control.secretsmanager_secret_rotated_as_scheduled, - + control.secretsmanager_secret_unused_90_day, ] tags = local.nist_800_53_rev_5_common_tags @@ -758,9 +749,9 @@ benchmark "nist_800_53_rev_5_ac_3_10" { description = "Employ an audited override of automated access mechanisms under [Assignment: organization-defined conditions] by [Assignment: organization-defined roles]." children = [ control.cloudtrail_multi_region_trail_enabled, - control.cloudtrail_trail_integrated_with_logs, - control.cloudtrail_trail_enabled, control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, control.rds_db_instance_logging_enabled, control.redshift_cluster_encryption_logging_enabled, control.s3_bucket_logging_enabled @@ -785,21 +776,21 @@ benchmark "nist_800_53_rev_5_ac_3_12_a" { description = "(a) Require applications to assert, as part of the installation process, the access needed to the following system applications and functions: [Assignment: organization-defined system applications and functions];" children = [ control.ec2_instance_uses_imdsv2, - control.iam_group_user_role_no_inline_policies, - control.iam_user_access_key_age_90, control.iam_account_password_policy_min_length_14, - control.secretsmanager_secret_unused_90_day, + control.iam_group_user_role_no_inline_policies, control.iam_policy_no_star_star, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, control.iam_root_user_no_access_keys, + control.iam_user_access_key_age_90, + control.iam_user_console_access_mfa_enabled, control.iam_user_in_group, control.iam_user_mfa_enabled, control.iam_user_no_inline_attached_policies, control.iam_user_unused_credentials_90, - control.iam_user_console_access_mfa_enabled, - control.iam_root_user_hardware_mfa_enabled, - control.iam_root_user_mfa_enabled, control.secretsmanager_secret_automatic_rotation_enabled, control.secretsmanager_secret_rotated_as_scheduled, + control.secretsmanager_secret_unused_90_day, ] tags = local.nist_800_53_rev_5_common_tags @@ -822,21 +813,21 @@ benchmark "nist_800_53_rev_5_ac_3_13" { description = "Enforce attribute-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined attributes to assume access permissions]." children = [ control.ec2_instance_uses_imdsv2, - control.iam_group_user_role_no_inline_policies, - control.iam_user_access_key_age_90, control.iam_account_password_policy_min_length_14, - control.secretsmanager_secret_unused_90_day, + control.iam_group_user_role_no_inline_policies, control.iam_policy_no_star_star, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, control.iam_root_user_no_access_keys, + control.iam_user_access_key_age_90, + control.iam_user_console_access_mfa_enabled, control.iam_user_in_group, control.iam_user_mfa_enabled, control.iam_user_no_inline_attached_policies, control.iam_user_unused_credentials_90, - control.iam_user_console_access_mfa_enabled, - control.iam_root_user_hardware_mfa_enabled, - control.iam_root_user_mfa_enabled, control.secretsmanager_secret_automatic_rotation_enabled, control.secretsmanager_secret_rotated_as_scheduled, + control.secretsmanager_secret_unused_90_day, ] tags = local.nist_800_53_rev_5_common_tags @@ -858,21 +849,21 @@ benchmark "nist_800_53_rev_5_ac_3_15_a" { description = "(a) Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy;" children = [ control.ec2_instance_uses_imdsv2, - control.iam_group_user_role_no_inline_policies, - control.iam_user_access_key_age_90, control.iam_account_password_policy_min_length_14, + control.iam_group_user_role_no_inline_policies, control.iam_policy_no_star_star, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, control.iam_root_user_no_access_keys, + control.iam_user_access_key_age_90, + control.iam_user_console_access_mfa_enabled, control.iam_user_in_group, control.iam_user_mfa_enabled, - control.secretsmanager_secret_unused_90_day, control.iam_user_no_inline_attached_policies, control.iam_user_unused_credentials_90, - control.iam_user_console_access_mfa_enabled, - control.iam_root_user_hardware_mfa_enabled, - control.iam_root_user_mfa_enabled, control.secretsmanager_secret_automatic_rotation_enabled, control.secretsmanager_secret_rotated_as_scheduled, + control.secretsmanager_secret_unused_90_day, ] tags = local.nist_800_53_rev_5_common_tags @@ -883,21 +874,21 @@ benchmark "nist_800_53_rev_5_ac_3_15_b" { description = "(b) Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy." children = [ control.ec2_instance_uses_imdsv2, - control.iam_group_user_role_no_inline_policies, - control.iam_user_access_key_age_90, control.iam_account_password_policy_min_length_14, - control.secretsmanager_secret_unused_90_day, + control.iam_group_user_role_no_inline_policies, control.iam_policy_no_star_star, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, control.iam_root_user_no_access_keys, + control.iam_user_access_key_age_90, + control.iam_user_console_access_mfa_enabled, control.iam_user_in_group, control.iam_user_mfa_enabled, control.iam_user_no_inline_attached_policies, control.iam_user_unused_credentials_90, - control.iam_user_console_access_mfa_enabled, - control.iam_root_user_hardware_mfa_enabled, - control.iam_root_user_mfa_enabled, control.secretsmanager_secret_automatic_rotation_enabled, control.secretsmanager_secret_rotated_as_scheduled, + control.secretsmanager_secret_unused_90_day, ] tags = local.nist_800_53_rev_5_common_tags @@ -907,18 +898,17 @@ benchmark "nist_800_53_rev_5_ac_4" { title = "Information Flow Enforcement (AC-4)" description = "Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies]." children = [ - control.es_domain_node_to_node_encryption_enabled, - control.elb_classic_lb_use_tls_https_listeners, + benchmark.nist_800_53_rev_5_ac_4_21, + benchmark.nist_800_53_rev_5_ac_4_22, + benchmark.nist_800_53_rev_5_ac_4_26, + benchmark.nist_800_53_rev_5_ac_4_28, control.apigateway_rest_api_stage_use_ssl_certificate, control.elb_application_lb_redirect_http_request_to_https, control.elb_classic_lb_use_ssl_certificate, + control.elb_classic_lb_use_tls_https_listeners, + control.es_domain_node_to_node_encryption_enabled, control.redshift_cluster_encryption_in_transit_enabled, - control.s3_bucket_enforces_ssl, - benchmark.nist_800_53_rev_5_ac_4_21, - benchmark.nist_800_53_rev_5_ac_4_22, - benchmark.nist_800_53_rev_5_ac_4_26, - benchmark.nist_800_53_rev_5_ac_4_28 - + control.s3_bucket_enforces_ssl ] tags = local.nist_800_53_rev_5_common_tags @@ -928,31 +918,31 @@ benchmark "nist_800_53_rev_5_ac_4_21" { title = "AC-4(21) Physical Or Logical Separation Of Infomation Flows" description = "Separate information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information]." children = [ - control.elb_application_lb_waf_enabled, control.apigateway_stage_use_waf_web_acl, control.autoscaling_launch_config_public_ip_disabled, - control.redshift_cluster_enhanced_vpc_routing_enabled, - control.ec2_instance_in_vpc, - control.vpc_route_table_restrict_public_access_to_igw, - control.ebs_snapshot_not_publicly_restorable, control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_in_vpc, control.ec2_instance_not_publicly_accessible, - control.es_domain_in_vpc, + control.elb_application_lb_waf_enabled, control.emr_cluster_master_nodes_no_public_ip, + control.es_domain_in_vpc, control.lambda_function_in_vpc, control.lambda_function_restrict_public_access, control.rds_db_instance_prohibit_public_access, control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_enhanced_vpc_routing_enabled, control.redshift_cluster_prohibit_public_access, - control.vpc_security_group_restrict_ingress_tcp_udp_all, control.s3_bucket_restrict_public_read_access, control.s3_bucket_restrict_public_write_access, control.s3_public_access_block_account, control.s3_public_access_block_bucket, control.sagemaker_notebook_instance_direct_internet_access_disabled, - control.vpc_subnet_auto_assign_public_ip_disabled, control.vpc_default_security_group_restricts_all_traffic, + control.vpc_route_table_restrict_public_access_to_igw, control.vpc_security_group_restrict_ingress_common_ports_all, + control.vpc_security_group_restrict_ingress_tcp_udp_all, + control.vpc_subnet_auto_assign_public_ip_disabled ] tags = local.nist_800_53_rev_5_common_tags @@ -962,11 +952,11 @@ benchmark "nist_800_53_rev_5_ac_4_22" { title = "AC-4(22) Access Only" description = "Provide access from a single device to computing platforms, applications, or data residing in multiple different security domains, while preventing information flow between the different security domains." children = [ - control.es_domain_node_to_node_encryption_enabled, - control.elb_classic_lb_use_tls_https_listeners, - control.elb_application_lb_redirect_http_request_to_https, control.apigateway_rest_api_stage_use_ssl_certificate, + control.elb_application_lb_redirect_http_request_to_https, control.elb_classic_lb_use_ssl_certificate, + control.elb_classic_lb_use_tls_https_listeners, + control.es_domain_node_to_node_encryption_enabled, control.redshift_cluster_encryption_in_transit_enabled, control.s3_bucket_enforces_ssl ] @@ -978,17 +968,17 @@ benchmark "nist_800_53_rev_5_ac_4_26" { title = "AC-4(26) Audit Filtering Actions" description = "When transferring information between different security domains, record and audit content filtering actions and results for the information being filtered." children = [ - control.cloudtrail_multi_region_trail_enabled, - control.wafv2_web_acl_logging_enabled, - control.cloudtrail_trail_integrated_with_logs, control.apigateway_stage_logging_enabled, - control.cloudtrail_trail_enabled, + control.cloudtrail_multi_region_trail_enabled, control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, control.elb_application_classic_lb_logging_enabled, control.rds_db_instance_logging_enabled, control.redshift_cluster_encryption_logging_enabled, control.s3_bucket_logging_enabled, control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled ] tags = local.nist_800_53_rev_5_common_tags @@ -1020,8 +1010,8 @@ benchmark "nist_800_53_rev_5_ac_4_28" { } benchmark "nist_800_53_rev_5_ac_5" { - title = benchmark.nist_800_53_rev_4_ac_5.title - description = benchmark.nist_800_53_rev_4_ac_5.description + title = "Separation Of Duties (AC-5)" + description = "Separate duties of individuals to prevent malevolent activity. automate separation of duties and access authorizations." children = [ benchmark.nist_800_53_rev_5_ac_5_b ] @@ -1045,15 +1035,19 @@ benchmark "nist_800_53_rev_5_ac_6" { title = "Least Privilege (AC-6)" description = "Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks." children = [ - control.ec2_instance_uses_imdsv2, - control.iam_group_user_role_no_inline_policies, - control.ec2_instance_in_vpc, + benchmark.nist_800_53_rev_5_ac_6_10, + benchmark.nist_800_53_rev_5_ac_6_2, + benchmark.nist_800_53_rev_5_ac_6_3, + benchmark.nist_800_53_rev_5_ac_6_9, control.dms_replication_instance_not_publicly_accessible, control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_in_vpc, control.ec2_instance_not_publicly_accessible, + control.ec2_instance_uses_imdsv2, + control.emr_cluster_master_nodes_no_public_ip, control.es_domain_in_vpc, + control.iam_group_user_role_no_inline_policies, control.iam_policy_no_star_star, - control.emr_cluster_master_nodes_no_public_ip, control.iam_root_user_no_access_keys, control.iam_user_in_group, control.iam_user_no_inline_attached_policies, @@ -1069,10 +1063,6 @@ benchmark "nist_800_53_rev_5_ac_6" { control.s3_public_access_block_bucket, control.sagemaker_notebook_instance_direct_internet_access_disabled, control.vpc_subnet_auto_assign_public_ip_disabled, - benchmark.nist_800_53_rev_5_ac_6_2, - benchmark.nist_800_53_rev_5_ac_6_3, - benchmark.nist_800_53_rev_5_ac_6_9, - benchmark.nist_800_53_rev_5_ac_6_10 ] tags = local.nist_800_53_rev_5_common_tags @@ -1084,7 +1074,7 @@ benchmark "nist_800_53_rev_5_ac_6_2" { children = [ control.iam_all_policy_no_service_wild_card, control.iam_policy_no_star_star, - control.iam_root_user_no_access_keys + control.iam_root_user_no_access_keys, ] tags = merge(local.nist_800_53_rev_5_common_tags, { @@ -1112,9 +1102,9 @@ benchmark "nist_800_53_rev_5_ac_6_9" { description = "Log the execution of privileged functions." children = [ control.cloudtrail_multi_region_trail_enabled, - control.cloudtrail_trail_integrated_with_logs, - control.cloudtrail_trail_enabled, control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, control.rds_db_instance_logging_enabled, control.redshift_cluster_encryption_logging_enabled, control.s3_bucket_logging_enabled @@ -1139,7 +1129,7 @@ benchmark "nist_800_53_rev_5_ac_6_10" { benchmark "nist_800_53_rev_5_ac_7" { title = "Unsuccessful Logon Attempts (AC-7)" - description = "a. Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment:organization-defined time period]; and b. Automatically [Selection (one or more): lock the account or node for an [Assignment: organization-defined time period]; lock the account or node until released by an administrator; delay next logon prompt per [Assignment: organization-defined delay algorithm]; notify system administrator; take other[Assignment: organization-defined action]] when the maximum number of unsuccessful attempts is exceeded." + description = "a. Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment:organization-defined time period]; and b. Automatically [Selection (one or more): lock the account or node for an [Assignment: organization-defined time period]; lock the account or node until released by an administrator; delay next logon prompt per [Assignment: organization-defined delay algorithm]; notify system administrator; take other[Assignment: organization-defined action]] when the maximum number of unsuccessful attempts is exceeded." children = [ benchmark.nist_800_53_rev_5_ac_7_4 ] @@ -1153,12 +1143,12 @@ benchmark "nist_800_53_rev_5_ac_7_4" { title = "AC-7(4) Use Of Alternate Authentication Factor" description = "a. Allow the use of [Assignment: organization-defined authentication factors] that are different from the primary authentication factors after the number of organization-defined consecutive invalid logon attempts have been exceeded; and b. Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts through use of the alternative factors by a user during a [Assignment: organization-defined time period]." children = [ + benchmark.nist_800_53_rev_5_ac_7_4_a, control.iam_account_password_policy_min_length_14, - control.iam_user_mfa_enabled, - control.iam_user_console_access_mfa_enabled, control.iam_root_user_hardware_mfa_enabled, control.iam_root_user_mfa_enabled, - benchmark.nist_800_53_rev_5_ac_7_4_a + control.iam_user_console_access_mfa_enabled, + control.iam_user_mfa_enabled ] tags = merge(local.nist_800_53_rev_5_common_tags, { @@ -1171,10 +1161,10 @@ benchmark "nist_800_53_rev_5_ac_7_4_a" { description = "(a) Allow the use of [Assignment: organization-defined authentication factors] that are different from the primary authentication factors after the number of organization-defined consecutive invalid logon attempts have been exceeded;" children = [ control.iam_account_password_policy_min_length_14, - control.iam_user_mfa_enabled, - control.iam_user_console_access_mfa_enabled, control.iam_root_user_hardware_mfa_enabled, control.iam_root_user_mfa_enabled, + control.iam_user_console_access_mfa_enabled, + control.iam_user_mfa_enabled, ] tags = merge(local.nist_800_53_rev_5_common_tags, { @@ -1194,7 +1184,7 @@ benchmark "nist_800_53_rev_5_ac_16" { benchmark "nist_800_53_rev_5_ac_16_b" { title = "AC-16(b)" - description = "b. Ensure that the attribute associations are made and retained with the information;" + description = "b. Ensure that the attribute associations are made and retained with the information." children = [ control.cloudwatch_log_group_retention_period_365 ] @@ -1208,12 +1198,12 @@ benchmark "nist_800_53_rev_5_ac_17" { title = "Remote Access (AC-17)" description = "Authorize remote access systems prior to connection. Enforce remote connection requirements to information systems." children = [ - benchmark.nist_800_53_rev_5_ac_17_b, benchmark.nist_800_53_rev_5_ac_17_1, benchmark.nist_800_53_rev_5_ac_17_2, benchmark.nist_800_53_rev_5_ac_17_4, benchmark.nist_800_53_rev_5_ac_17_9, - benchmark.nist_800_53_rev_5_ac_17_10 + benchmark.nist_800_53_rev_5_ac_17_10, + benchmark.nist_800_53_rev_5_ac_17_b, ] tags = local.nist_800_53_rev_5_common_tags @@ -1223,27 +1213,27 @@ benchmark "nist_800_53_rev_5_ac_17_b" { title = "AC-17(b)" description = "b. Authorize each type of remote access to the system prior to allowing such connections." children = [ - control.vpc_security_group_restrict_ingress_ssh_all, - control.ec2_instance_in_vpc, control.dms_replication_instance_not_publicly_accessible, control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_in_vpc, control.ec2_instance_not_publicly_accessible, - control.es_domain_in_vpc, control.emr_cluster_master_nodes_no_public_ip, - control.lambda_function_restrict_public_access, + control.es_domain_in_vpc, control.lambda_function_in_vpc, + control.lambda_function_restrict_public_access, control.rds_db_instance_prohibit_public_access, control.rds_db_snapshot_prohibit_public_access, control.redshift_cluster_prohibit_public_access, - control.vpc_security_group_restrict_ingress_common_ports_all, control.s3_bucket_restrict_public_read_access, control.s3_bucket_restrict_public_write_access, control.s3_public_access_block_account, control.s3_public_access_block_bucket, control.sagemaker_notebook_instance_direct_internet_access_disabled, - control.vpc_subnet_auto_assign_public_ip_disabled, control.vpc_default_security_group_restricts_all_traffic, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.vpc_security_group_restrict_ingress_ssh_all, control.vpc_security_group_restrict_ingress_tcp_udp_all, + control.vpc_subnet_auto_assign_public_ip_disabled ] tags = local.nist_800_53_rev_5_common_tags @@ -1253,27 +1243,27 @@ benchmark "nist_800_53_rev_5_ac_17_1" { title = "AC-17(1) Monitoring And Control" description = "Employ automated mechanisms to monitor and control remote access methods." children = [ - control.vpc_security_group_restrict_ingress_ssh_all, - control.ec2_instance_in_vpc, control.dms_replication_instance_not_publicly_accessible, control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_in_vpc, control.ec2_instance_not_publicly_accessible, - control.es_domain_in_vpc, control.emr_cluster_master_nodes_no_public_ip, + control.es_domain_in_vpc, control.lambda_function_in_vpc, control.lambda_function_restrict_public_access, control.rds_db_instance_prohibit_public_access, control.rds_db_snapshot_prohibit_public_access, control.redshift_cluster_prohibit_public_access, - control.vpc_security_group_restrict_ingress_common_ports_all, - control.s3_public_access_block_account, - control.s3_public_access_block_bucket, control.s3_bucket_restrict_public_read_access, control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, control.sagemaker_notebook_instance_direct_internet_access_disabled, - control.vpc_subnet_auto_assign_public_ip_disabled, control.vpc_default_security_group_restricts_all_traffic, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.vpc_security_group_restrict_ingress_ssh_all, control.vpc_security_group_restrict_ingress_tcp_udp_all, + control.vpc_subnet_auto_assign_public_ip_disabled, ] tags = local.nist_800_53_rev_5_common_tags @@ -1283,10 +1273,10 @@ benchmark "nist_800_53_rev_5_ac_17_2" { title = "AC-17(2) Protection Of Confidentiality And Integrity Using Encryption" description = "Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions." children = [ - control.elb_classic_lb_use_tls_https_listeners, - control.elb_application_lb_redirect_http_request_to_https, control.apigateway_rest_api_stage_use_ssl_certificate, + control.elb_application_lb_redirect_http_request_to_https, control.elb_classic_lb_use_ssl_certificate, + control.elb_classic_lb_use_tls_https_listeners, control.s3_bucket_enforces_ssl, ] @@ -1298,7 +1288,6 @@ benchmark "nist_800_53_rev_5_ac_17_4" { description = "a. Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: [Assignment: organization-defined needs]; and b. Document the rationale for remote access in the security plan for the system." children = [ benchmark.nist_800_53_rev_5_ac_17_4_a - ] tags = local.nist_800_53_rev_5_common_tags @@ -1308,27 +1297,27 @@ benchmark "nist_800_53_rev_5_ac_17_4_a" { title = "AC-17(4)(a)" description = "(a) Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: [Assignment: organization-defined needs];" children = [ - control.vpc_security_group_restrict_ingress_ssh_all, - control.ec2_instance_in_vpc, control.dms_replication_instance_not_publicly_accessible, control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_in_vpc, control.ec2_instance_not_publicly_accessible, - control.es_domain_in_vpc, control.emr_cluster_master_nodes_no_public_ip, - control.lambda_function_restrict_public_access, + control.es_domain_in_vpc, control.lambda_function_in_vpc, + control.lambda_function_restrict_public_access, control.rds_db_instance_prohibit_public_access, control.rds_db_snapshot_prohibit_public_access, control.redshift_cluster_prohibit_public_access, - control.vpc_security_group_restrict_ingress_common_ports_all, control.s3_bucket_restrict_public_read_access, control.s3_bucket_restrict_public_write_access, control.s3_public_access_block_account, control.s3_public_access_block_bucket, control.sagemaker_notebook_instance_direct_internet_access_disabled, - control.vpc_subnet_auto_assign_public_ip_disabled, control.vpc_default_security_group_restricts_all_traffic, + control.vpc_security_group_restrict_ingress_common_ports_all, control.vpc_security_group_restrict_ingress_tcp_udp_all, + control.vpc_subnet_auto_assign_public_ip_disabled, + control.vpc_security_group_restrict_ingress_ssh_all, ] tags = local.nist_800_53_rev_5_common_tags @@ -1338,27 +1327,27 @@ benchmark "nist_800_53_rev_5_ac_17_9" { title = "AC-17(9) Disconnect Or Disable Access" description = "Provide the capability to disconnect or disable remote access to the system within [Assignment: organization-defined time period]." children = [ - control.vpc_security_group_restrict_ingress_ssh_all, - control.ec2_instance_in_vpc, control.dms_replication_instance_not_publicly_accessible, control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_in_vpc, control.ec2_instance_not_publicly_accessible, - control.es_domain_in_vpc, control.emr_cluster_master_nodes_no_public_ip, - control.lambda_function_restrict_public_access, + control.es_domain_in_vpc, control.lambda_function_in_vpc, + control.lambda_function_restrict_public_access, control.rds_db_instance_prohibit_public_access, control.rds_db_snapshot_prohibit_public_access, control.redshift_cluster_prohibit_public_access, - control.vpc_security_group_restrict_ingress_common_ports_all, control.s3_bucket_restrict_public_read_access, control.s3_bucket_restrict_public_write_access, control.s3_public_access_block_account, control.s3_public_access_block_bucket, control.sagemaker_notebook_instance_direct_internet_access_disabled, - control.vpc_subnet_auto_assign_public_ip_disabled, control.vpc_default_security_group_restricts_all_traffic, + control.vpc_security_group_restrict_ingress_common_ports_all, control.vpc_security_group_restrict_ingress_tcp_udp_all, + control.vpc_subnet_auto_assign_public_ip_disabled, + control.vpc_security_group_restrict_ingress_ssh_all, ] tags = local.nist_800_53_rev_5_common_tags @@ -1368,27 +1357,27 @@ benchmark "nist_800_53_rev_5_ac_17_10" { title = "AC-17(10) Authenticate Remote Commands" description = "Provide the capability to disconnect or disable remote access to the system within [Assignment: organization-defined time period]." children = [ - control.vpc_security_group_restrict_ingress_ssh_all, - control.ec2_instance_in_vpc, control.dms_replication_instance_not_publicly_accessible, control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_in_vpc, control.ec2_instance_not_publicly_accessible, - control.es_domain_in_vpc, control.emr_cluster_master_nodes_no_public_ip, - control.lambda_function_restrict_public_access, + control.es_domain_in_vpc, control.lambda_function_in_vpc, + control.lambda_function_restrict_public_access, control.rds_db_instance_prohibit_public_access, control.rds_db_snapshot_prohibit_public_access, control.redshift_cluster_prohibit_public_access, - control.vpc_security_group_restrict_ingress_common_ports_all, control.s3_bucket_restrict_public_read_access, control.s3_bucket_restrict_public_write_access, control.s3_public_access_block_account, control.s3_public_access_block_bucket, control.sagemaker_notebook_instance_direct_internet_access_disabled, - control.vpc_subnet_auto_assign_public_ip_disabled, control.vpc_default_security_group_restricts_all_traffic, + control.vpc_security_group_restrict_ingress_common_ports_all, control.vpc_security_group_restrict_ingress_tcp_udp_all, + control.vpc_subnet_auto_assign_public_ip_disabled, + control.vpc_security_group_restrict_ingress_ssh_all ] tags = local.nist_800_53_rev_5_common_tags @@ -1398,23 +1387,23 @@ benchmark "nist_800_53_rev_5_ac_24" { title = "Access Control Decisions (AC-24)" description = "[Selection: Establish procedures; Implement mechanisms] to ensure [Assignment: organization-defined access control decisions] are applied to each access request prior to access enforcement." children = [ + benchmark.nist_800_53_rev_5_ac_24_1, control.ec2_instance_uses_imdsv2, - control.iam_group_user_role_no_inline_policies, - control.iam_user_access_key_age_90, control.iam_account_password_policy_min_length_14, - control.secretsmanager_secret_unused_90_day, + control.iam_group_user_role_no_inline_policies, control.iam_policy_no_star_star, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, control.iam_root_user_no_access_keys, + control.iam_user_access_key_age_90, + control.iam_user_console_access_mfa_enabled, control.iam_user_in_group, control.iam_user_mfa_enabled, control.iam_user_no_inline_attached_policies, control.iam_user_unused_credentials_90, - control.iam_user_console_access_mfa_enabled, - control.iam_root_user_hardware_mfa_enabled, - control.iam_root_user_mfa_enabled, control.secretsmanager_secret_automatic_rotation_enabled, control.secretsmanager_secret_rotated_as_scheduled, - benchmark.nist_800_53_rev_5_ac_24_1 + control.secretsmanager_secret_unused_90_day, ] tags = local.nist_800_53_rev_5_common_tags @@ -1424,13 +1413,13 @@ benchmark "nist_800_53_rev_5_ac_24_1" { title = "AC-24(1)" description = "Transmit [Assignment: organization-defined access authorization information] using [Assignment: organization-defined controls] to [Assignment: organization-defined systems] that enforce access control decisions." children = [ - control.es_domain_node_to_node_encryption_enabled, - control.elb_classic_lb_use_tls_https_listeners, - control.elb_application_lb_redirect_http_request_to_https, control.apigateway_rest_api_stage_use_ssl_certificate, + control.elb_application_lb_redirect_http_request_to_https, control.elb_classic_lb_use_ssl_certificate, + control.elb_classic_lb_use_tls_https_listeners, + control.es_domain_node_to_node_encryption_enabled, control.redshift_cluster_encryption_in_transit_enabled, - control.s3_bucket_enforces_ssl, + control.s3_bucket_enforces_ssl ] tags = local.nist_800_53_rev_5_common_tags diff --git a/nist_800_53_rev_5/au.sp b/nist_800_53_rev_5/au.sp index 723dab0f..489becb6 100644 --- a/nist_800_53_rev_5/au.sp +++ b/nist_800_53_rev_5/au.sp @@ -34,17 +34,17 @@ benchmark "nist_800_53_rev_5_au_2_b" { title = "AU-2(b)" description = "b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;" children = [ - control.cloudtrail_multi_region_trail_enabled, - control.rds_db_instance_logging_enabled, - control.wafv2_web_acl_logging_enabled, control.apigateway_stage_logging_enabled, - control.cloudtrail_trail_integrated_with_logs, - control.cloudtrail_trail_enabled, + control.cloudtrail_multi_region_trail_enabled, control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, control.elb_application_classic_lb_logging_enabled, + control.rds_db_instance_logging_enabled, control.redshift_cluster_encryption_logging_enabled, control.s3_bucket_logging_enabled, - control.vpc_flow_logs_enabled + control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled, ] tags = local.nist_800_53_rev_5_common_tags @@ -70,17 +70,17 @@ benchmark "nist_800_53_rev_5_au_3_a" { title = "AU-3(a)" description = "Ensure that audit records contain information that establishes the following: a. What type of event occurred;" children = [ - control.cloudtrail_multi_region_trail_enabled, - control.wafv2_web_acl_logging_enabled, control.apigateway_stage_logging_enabled, - control.cloudtrail_trail_integrated_with_logs, - control.cloudtrail_trail_enabled, + control.cloudtrail_multi_region_trail_enabled, control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, control.elb_application_classic_lb_logging_enabled, control.rds_db_instance_logging_enabled, control.redshift_cluster_encryption_logging_enabled, control.s3_bucket_logging_enabled, - control.vpc_flow_logs_enabled + control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled, ] tags = local.nist_800_53_rev_5_common_tags @@ -90,17 +90,17 @@ benchmark "nist_800_53_rev_5_au_3_b" { title = "AU-3(b)" description = "Ensure that audit records contain information that establishes the following: b. When the event occurred;" children = [ - control.cloudtrail_multi_region_trail_enabled, - control.wafv2_web_acl_logging_enabled, control.apigateway_stage_logging_enabled, - control.cloudtrail_trail_integrated_with_logs, - control.cloudtrail_trail_enabled, + control.cloudtrail_multi_region_trail_enabled, control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, control.elb_application_classic_lb_logging_enabled, control.rds_db_instance_logging_enabled, control.redshift_cluster_encryption_logging_enabled, control.s3_bucket_logging_enabled, - control.vpc_flow_logs_enabled + control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled, ] tags = local.nist_800_53_rev_5_common_tags @@ -110,17 +110,17 @@ benchmark "nist_800_53_rev_5_au_3_c" { title = "AU-3(c)" description = "Ensure that audit records contain information that establishes the following: c. Where the event occurred;" children = [ - control.cloudtrail_multi_region_trail_enabled, - control.wafv2_web_acl_logging_enabled, control.apigateway_stage_logging_enabled, - control.cloudtrail_trail_integrated_with_logs, - control.cloudtrail_trail_enabled, + control.cloudtrail_multi_region_trail_enabled, control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, control.elb_application_classic_lb_logging_enabled, control.rds_db_instance_logging_enabled, control.redshift_cluster_encryption_logging_enabled, control.s3_bucket_logging_enabled, - control.vpc_flow_logs_enabled + control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled, ] tags = local.nist_800_53_rev_5_common_tags @@ -130,17 +130,17 @@ benchmark "nist_800_53_rev_5_au_3_d" { title = "AU-3(d)" description = "Ensure that audit records contain information that establishes the following: d. Source of the event;" children = [ - control.cloudtrail_multi_region_trail_enabled, - control.wafv2_web_acl_logging_enabled, control.apigateway_stage_logging_enabled, - control.cloudtrail_trail_integrated_with_logs, - control.cloudtrail_trail_enabled, + control.cloudtrail_multi_region_trail_enabled, control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, control.elb_application_classic_lb_logging_enabled, control.rds_db_instance_logging_enabled, control.redshift_cluster_encryption_logging_enabled, control.s3_bucket_logging_enabled, - control.vpc_flow_logs_enabled + control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled, ] tags = local.nist_800_53_rev_5_common_tags @@ -150,17 +150,17 @@ benchmark "nist_800_53_rev_5_au_3_e" { title = "AU-3(e)" description = "Ensure that audit records contain information that establishes the following: e. Outcome of the event;" children = [ - control.cloudtrail_multi_region_trail_enabled, - control.wafv2_web_acl_logging_enabled, control.apigateway_stage_logging_enabled, - control.cloudtrail_trail_integrated_with_logs, - control.cloudtrail_trail_enabled, + control.cloudtrail_multi_region_trail_enabled, control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, control.elb_application_classic_lb_logging_enabled, control.rds_db_instance_logging_enabled, control.redshift_cluster_encryption_logging_enabled, control.s3_bucket_logging_enabled, - control.vpc_flow_logs_enabled + control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled, ] tags = local.nist_800_53_rev_5_common_tags @@ -170,16 +170,16 @@ benchmark "nist_800_53_rev_5_au_3_f" { title = "AU-3(f)" description = "Ensure that audit records contain information that establishes the following: e. Outcome of the event;" children = [ - control.cloudtrail_multi_region_trail_enabled, - control.wafv2_web_acl_logging_enabled, control.apigateway_stage_logging_enabled, - control.cloudtrail_trail_integrated_with_logs, - control.cloudtrail_trail_enabled, + control.cloudtrail_multi_region_trail_enabled, control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, control.elb_application_classic_lb_logging_enabled, control.rds_db_instance_logging_enabled, control.redshift_cluster_encryption_logging_enabled, - control.s3_bucket_logging_enabled + control.s3_bucket_logging_enabled, + control.wafv2_web_acl_logging_enabled, ] tags = local.nist_800_53_rev_5_common_tags @@ -236,9 +236,9 @@ benchmark "nist_800_53_rev_5_au_6_1" { description = "Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated mechanisms]." children = [ control.cloudtrail_trail_integrated_with_logs, + control.cloudwatch_alarm_action_enabled, control.guardduty_enabled, control.securityhub_enabled, - control.cloudwatch_alarm_action_enabled, ] tags = local.nist_800_53_rev_5_common_tags @@ -248,18 +248,18 @@ benchmark "nist_800_53_rev_5_au_6_3" { title = "AU-6(3) Correlate Audit Record Repositories" description = "Analyze and correlate audit records across different repositories to gain organization-wide situational awareness." children = [ - control.cloudwatch_log_group_retention_period_365, - control.cloudtrail_multi_region_trail_enabled, - control.wafv2_web_acl_logging_enabled, control.apigateway_stage_logging_enabled, - control.cloudtrail_trail_integrated_with_logs, - control.cloudtrail_trail_enabled, + control.cloudtrail_multi_region_trail_enabled, control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudwatch_log_group_retention_period_365, control.elb_application_classic_lb_logging_enabled, control.rds_db_instance_logging_enabled, control.redshift_cluster_encryption_logging_enabled, control.s3_bucket_logging_enabled, control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled, ] tags = local.nist_800_53_rev_5_common_tags @@ -269,18 +269,18 @@ benchmark "nist_800_53_rev_5_au_6_4" { title = "AU-6(4) Central Review And Analysis" description = "Provide and implement the capability to centrally review and analyze audit records from multiple components within the system." children = [ - control.cloudwatch_log_group_retention_period_365, - control.cloudtrail_multi_region_trail_enabled, - control.wafv2_web_acl_logging_enabled, control.apigateway_stage_logging_enabled, - control.cloudtrail_trail_integrated_with_logs, - control.cloudtrail_trail_enabled, + control.cloudtrail_multi_region_trail_enabled, control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudwatch_log_group_retention_period_365, control.elb_application_classic_lb_logging_enabled, control.rds_db_instance_logging_enabled, control.redshift_cluster_encryption_logging_enabled, control.s3_bucket_logging_enabled, control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled ] tags = local.nist_800_53_rev_5_common_tags @@ -291,9 +291,9 @@ benchmark "nist_800_53_rev_5_au_6_5" { description = "Integrate analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity." children = [ control.cloudtrail_trail_integrated_with_logs, + control.cloudwatch_alarm_action_enabled, control.guardduty_enabled, control.securityhub_enabled, - control.cloudwatch_alarm_action_enabled ] tags = local.nist_800_53_rev_5_common_tags @@ -303,18 +303,18 @@ benchmark "nist_800_53_rev_5_au_6_6" { title = "AU-6(6) Correletion With Physical Monitoring" description = "Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity." children = [ - control.cloudwatch_log_group_retention_period_365, - control.cloudtrail_multi_region_trail_enabled, - control.wafv2_web_acl_logging_enabled, control.apigateway_stage_logging_enabled, - control.cloudtrail_trail_integrated_with_logs, - control.cloudtrail_trail_enabled, + control.cloudtrail_multi_region_trail_enabled, control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudwatch_log_group_retention_period_365, control.elb_application_classic_lb_logging_enabled, control.rds_db_instance_logging_enabled, control.redshift_cluster_encryption_logging_enabled, control.s3_bucket_logging_enabled, - control.vpc_flow_logs_enabled + control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled, ] tags = local.nist_800_53_rev_5_common_tags @@ -324,24 +324,23 @@ benchmark "nist_800_53_rev_5_au_6_9" { title = "AU-6(9) Correletion With From Nontechnical Sources" description = "Correlate information from nontechnical sources with audit record information to enhance organization-wide situational awareness." children = [ - control.cloudwatch_log_group_retention_period_365, - control.cloudtrail_multi_region_trail_enabled, - control.wafv2_web_acl_logging_enabled, control.apigateway_stage_logging_enabled, - control.cloudtrail_trail_integrated_with_logs, - control.cloudtrail_trail_enabled, + control.cloudtrail_multi_region_trail_enabled, control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudwatch_log_group_retention_period_365, control.elb_application_classic_lb_logging_enabled, control.rds_db_instance_logging_enabled, control.redshift_cluster_encryption_logging_enabled, control.s3_bucket_logging_enabled, control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled, ] tags = local.nist_800_53_rev_5_common_tags } - benchmark "nist_800_53_rev_5_au_7" { title = "Audit Record Reduction And Report Generation (AU-7)" description = "Support for real-time audit review, analysis, and reporting requirements without altering original audit records." @@ -376,17 +375,17 @@ benchmark "nist_800_53_rev_5_au_8_b" { title = "AU-8(b)" description = "b. Record time stamps for audit records that meet [Assignment: organization-defined granularity of time measurement] and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp." children = [ - control.cloudtrail_multi_region_trail_enabled, - control.wafv2_web_acl_logging_enabled, - control.cloudtrail_trail_integrated_with_logs, control.apigateway_stage_logging_enabled, - control.cloudtrail_trail_enabled, + control.cloudtrail_multi_region_trail_enabled, control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, control.elb_application_classic_lb_logging_enabled, control.rds_db_instance_logging_enabled, control.redshift_cluster_encryption_logging_enabled, control.s3_bucket_logging_enabled, control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled, ] tags = local.nist_800_53_rev_5_common_tags @@ -432,30 +431,30 @@ benchmark "nist_800_53_rev_5_au_9_3" { title = "AU-9(3) Cryptographic Protection" description = "Implement cryptographic mechanisms to protect the integrity of audit information and audit tools." children = [ - control.dynamodb_table_encrypted_with_kms_cmk, - control.ec2_ebs_default_encryption_enabled, - control.es_domain_node_to_node_encryption_enabled, - control.elb_classic_lb_use_tls_https_listeners, - control.secretsmanager_secret_encrypted_with_kms_cmk, - control.rds_db_snapshot_encrypted_at_rest, - control.s3_bucket_default_encryption_enabled_kms, - control.sagemaker_notebook_instance_encryption_at_rest_enabled, - control.sns_topic_encrypted_at_rest, - control.elb_application_lb_redirect_http_request_to_https, - control.apigateway_stage_cache_encryption_at_rest_enabled, control.apigateway_rest_api_stage_use_ssl_certificate, + control.apigateway_stage_cache_encryption_at_rest_enabled, control.cloudtrail_trail_logs_encrypted_with_kms_cmk, - control.log_group_encryption_at_rest_enabled, + control.dynamodb_table_encrypted_with_kms_cmk, + control.ebs_volume_encryption_at_rest_enabled, + control.ec2_ebs_default_encryption_enabled, control.efs_file_system_encrypt_data_at_rest, - control.es_domain_encryption_at_rest_enabled, + control.elb_application_lb_redirect_http_request_to_https, control.elb_classic_lb_use_ssl_certificate, - control.ebs_volume_encryption_at_rest_enabled, + control.elb_classic_lb_use_tls_https_listeners, + control.es_domain_encryption_at_rest_enabled, + control.es_domain_node_to_node_encryption_enabled, + control.log_group_encryption_at_rest_enabled, control.rds_db_instance_encryption_at_rest_enabled, + control.rds_db_snapshot_encrypted_at_rest, + control.redshift_cluster_encryption_in_transit_enabled, control.redshift_cluster_encryption_logging_enabled, control.redshift_cluster_kms_enabled, - control.redshift_cluster_encryption_in_transit_enabled, + control.s3_bucket_default_encryption_enabled_kms, control.s3_bucket_enforces_ssl, - control.sagemaker_endpoint_configuration_encryption_at_rest_enabled + control.sagemaker_endpoint_configuration_encryption_at_rest_enabled, + control.sagemaker_notebook_instance_encryption_at_rest_enabled, + control.secretsmanager_secret_encrypted_with_kms_cmk, + control.sns_topic_encrypted_at_rest, ] tags = local.nist_800_53_rev_5_common_tags @@ -475,18 +474,18 @@ benchmark "nist_800_53_rev_5_au_10" { title = "Non-Repudiation (AU-10)" description = "Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed [Assignment: organization-defined actions to be covered by non-repudiation]." children = [ - control.cloudwatch_log_group_retention_period_365, - control.es_domain_logs_to_cloudwatch, - control.cloudtrail_multi_region_trail_enabled, - control.rds_db_instance_logging_enabled, - control.wafv2_web_acl_logging_enabled, control.apigateway_stage_logging_enabled, - control.cloudtrail_trail_integrated_with_logs, - control.cloudtrail_trail_enabled, + control.cloudtrail_multi_region_trail_enabled, control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudwatch_log_group_retention_period_365, control.elb_application_classic_lb_logging_enabled, + control.es_domain_logs_to_cloudwatch, + control.rds_db_instance_logging_enabled, control.redshift_cluster_encryption_logging_enabled, control.s3_bucket_logging_enabled, + control.wafv2_web_acl_logging_enabled, ] tags = local.nist_800_53_rev_5_common_tags @@ -496,8 +495,8 @@ benchmark "nist_800_53_rev_5_au_11" { title = "Audit Record Retention (AU-11)" description = "Retain audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements." children = [ + benchmark.nist_800_53_rev_5_au_11_1, control.cloudwatch_log_group_retention_period_365, - benchmark.nist_800_53_rev_5_au_11_1 ] tags = merge(local.nist_800_53_rev_5_common_tags, { @@ -522,12 +521,12 @@ benchmark "nist_800_53_rev_5_au_12" { title = "Audit Record Generation (AU-12)" description = "Audit events defined in AU-2. Allow trusted personnel to select which events to audit. Generate audit records for events." children = [ - benchmark.nist_800_53_rev_5_au_12_a, - benchmark.nist_800_53_rev_5_au_12_c, benchmark.nist_800_53_rev_5_au_12_1, benchmark.nist_800_53_rev_5_au_12_2, benchmark.nist_800_53_rev_5_au_12_3, - benchmark.nist_800_53_rev_5_au_12_4 + benchmark.nist_800_53_rev_5_au_12_4, + benchmark.nist_800_53_rev_5_au_12_a, + benchmark.nist_800_53_rev_5_au_12_c, ] tags = local.nist_800_53_rev_5_common_tags @@ -537,17 +536,17 @@ benchmark "nist_800_53_rev_5_au_12_a" { title = "AU-12(a)" description = "a. Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on [Assignment: organization-defined system components];" children = [ - control.cloudtrail_multi_region_trail_enabled, - control.wafv2_web_acl_logging_enabled, control.apigateway_stage_logging_enabled, - control.cloudtrail_trail_integrated_with_logs, - control.cloudtrail_trail_enabled, + control.cloudtrail_multi_region_trail_enabled, control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, control.elb_application_classic_lb_logging_enabled, control.rds_db_instance_logging_enabled, control.redshift_cluster_encryption_logging_enabled, control.s3_bucket_logging_enabled, - control.vpc_flow_logs_enabled + control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled, ] tags = local.nist_800_53_rev_5_common_tags @@ -557,17 +556,17 @@ benchmark "nist_800_53_rev_5_au_12_c" { title = "AU-12(c)" description = "c. Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3." children = [ - control.cloudtrail_multi_region_trail_enabled, - control.wafv2_web_acl_logging_enabled, control.apigateway_stage_logging_enabled, - control.cloudtrail_trail_integrated_with_logs, - control.cloudtrail_trail_enabled, + control.cloudtrail_multi_region_trail_enabled, control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, control.elb_application_classic_lb_logging_enabled, control.rds_db_instance_logging_enabled, control.redshift_cluster_encryption_logging_enabled, control.s3_bucket_logging_enabled, - control.vpc_flow_logs_enabled + control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled, ] tags = local.nist_800_53_rev_5_common_tags @@ -577,18 +576,18 @@ benchmark "nist_800_53_rev_5_au_12_1" { title = "AU-12(1) System-Wide And Time-Correlated Audit Trial" description = "Compile audit records from [Assignment: organization-defined system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail]." children = [ - control.cloudwatch_log_group_retention_period_365, - control.cloudtrail_multi_region_trail_enabled, - control.wafv2_web_acl_logging_enabled, control.apigateway_stage_logging_enabled, - control.cloudtrail_trail_integrated_with_logs, - control.cloudtrail_trail_enabled, + control.cloudtrail_multi_region_trail_enabled, control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudwatch_log_group_retention_period_365, control.elb_application_classic_lb_logging_enabled, control.rds_db_instance_logging_enabled, control.redshift_cluster_encryption_logging_enabled, control.s3_bucket_logging_enabled, control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled, ] tags = local.nist_800_53_rev_5_common_tags @@ -598,18 +597,18 @@ benchmark "nist_800_53_rev_5_au_12_2" { title = "AU-12(2) Standardized Formats" description = "Produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format." children = [ - control.cloudwatch_log_group_retention_period_365, - control.cloudtrail_multi_region_trail_enabled, - control.wafv2_web_acl_logging_enabled, control.apigateway_stage_logging_enabled, - control.cloudtrail_trail_integrated_with_logs, - control.cloudtrail_trail_enabled, + control.cloudtrail_multi_region_trail_enabled, control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudwatch_log_group_retention_period_365, control.elb_application_classic_lb_logging_enabled, control.rds_db_instance_logging_enabled, control.redshift_cluster_encryption_logging_enabled, control.s3_bucket_logging_enabled, control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled, ] tags = local.nist_800_53_rev_5_common_tags @@ -619,26 +618,26 @@ benchmark "nist_800_53_rev_5_au_12_3" { title = "AU-12(3) Changes By Authorized Individuals" description = "Provide and implement the capability for [Assignment: organization-defined individuals or roles] to change the logging to be performed on [Assignment: organization-defined system components] based on [Assignment: organization-defined selectable event criteria] within [Assignment: organization-defined time thresholds]." children = [ - control.cloudwatch_log_group_retention_period_365, - control.lambda_function_concurrent_execution_limit_configured, - control.lambda_function_dead_letter_queue_configured, - control.cloudtrail_multi_region_trail_enabled, - control.rds_db_instance_and_cluster_enhanced_monitoring_enabled, - control.rds_db_instance_logging_enabled, - control.securityhub_enabled, - control.wafv2_web_acl_logging_enabled, control.apigateway_stage_logging_enabled, control.autoscaling_group_with_lb_use_health_check, - control.elastic_beanstalk_enhanced_health_reporting_enabled, - control.cloudtrail_trail_integrated_with_logs, - control.cloudtrail_trail_enabled, + control.cloudtrail_multi_region_trail_enabled, control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, control.cloudwatch_alarm_action_enabled, + control.cloudwatch_log_group_retention_period_365, + control.elastic_beanstalk_enhanced_health_reporting_enabled, control.elb_application_classic_lb_logging_enabled, control.guardduty_enabled, + control.lambda_function_concurrent_execution_limit_configured, + control.lambda_function_dead_letter_queue_configured, + control.rds_db_instance_and_cluster_enhanced_monitoring_enabled, + control.rds_db_instance_logging_enabled, control.redshift_cluster_encryption_logging_enabled, control.s3_bucket_logging_enabled, - control.vpc_flow_logs_enabled + control.securityhub_enabled, + control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled, ] tags = local.nist_800_53_rev_5_common_tags @@ -648,17 +647,17 @@ benchmark "nist_800_53_rev_5_au_12_4" { title = "AU-12(4) Query Parameter Audits Of Personally Identifiable Information" description = "Provide and implement the capability for auditing the parameters of user query events for data sets containing personally identifiable information." children = [ - control.cloudtrail_multi_region_trail_enabled, - control.rds_db_instance_logging_enabled, - control.wafv2_web_acl_logging_enabled, control.apigateway_stage_logging_enabled, - control.cloudtrail_trail_integrated_with_logs, - control.cloudtrail_trail_enabled, + control.cloudtrail_multi_region_trail_enabled, control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, control.elb_application_classic_lb_logging_enabled, + control.rds_db_instance_logging_enabled, control.redshift_cluster_encryption_logging_enabled, control.s3_bucket_logging_enabled, control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled, ] tags = local.nist_800_53_rev_5_common_tags @@ -668,9 +667,9 @@ benchmark "nist_800_53_rev_5_au_14" { title = "Session Audit (AU-14)" description = "Capture, record and log user sessions. Remotely view all content related to a user session that starts at system start-up." children = [ - benchmark.nist_800_53_rev_5_au_14_a, - benchmark.nist_800_53_rev_5_au_14_b, benchmark.nist_800_53_rev_5_au_14_3, + benchmark.nist_800_53_rev_5_au_14_a, + benchmark.nist_800_53_rev_5_au_14_b ] tags = local.nist_800_53_rev_5_common_tags @@ -680,26 +679,26 @@ benchmark "nist_800_53_rev_5_au_14_a" { title = "AU-14(a)" description = "a. Provide and implement the capability for [Assignment: organization-defined users or roles] to [Selection (one or more): record; view; hear; log] the content of a user session under [Assignment: organization-defined circumstances];" children = [ - control.cloudwatch_log_group_retention_period_365, - control.lambda_function_concurrent_execution_limit_configured, - control.lambda_function_dead_letter_queue_configured, - control.cloudtrail_multi_region_trail_enabled, - control.rds_db_instance_and_cluster_enhanced_monitoring_enabled, - control.rds_db_instance_logging_enabled, - control.securityhub_enabled, - control.wafv2_web_acl_logging_enabled, control.apigateway_stage_logging_enabled, control.autoscaling_group_with_lb_use_health_check, - control.elastic_beanstalk_enhanced_health_reporting_enabled, - control.cloudtrail_trail_integrated_with_logs, - control.cloudtrail_trail_enabled, + control.cloudtrail_multi_region_trail_enabled, control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, control.cloudwatch_alarm_action_enabled, + control.cloudwatch_log_group_retention_period_365, + control.elastic_beanstalk_enhanced_health_reporting_enabled, control.elb_application_classic_lb_logging_enabled, control.guardduty_enabled, + control.lambda_function_concurrent_execution_limit_configured, + control.lambda_function_dead_letter_queue_configured, + control.rds_db_instance_and_cluster_enhanced_monitoring_enabled, + control.rds_db_instance_logging_enabled, control.redshift_cluster_encryption_logging_enabled, control.s3_bucket_logging_enabled, - control.vpc_flow_logs_enabled + control.securityhub_enabled, + control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled, ] tags = local.nist_800_53_rev_5_common_tags @@ -709,26 +708,26 @@ benchmark "nist_800_53_rev_5_au_14_b" { title = "AU-14(b)" description = "b. Develop, integrate, and use session auditing activities in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." children = [ - control.cloudwatch_log_group_retention_period_365, - control.lambda_function_concurrent_execution_limit_configured, - control.lambda_function_dead_letter_queue_configured, - control.cloudtrail_multi_region_trail_enabled, - control.rds_db_instance_and_cluster_enhanced_monitoring_enabled, - control.rds_db_instance_logging_enabled, - control.securityhub_enabled, - control.wafv2_web_acl_logging_enabled, control.apigateway_stage_logging_enabled, control.autoscaling_group_with_lb_use_health_check, - control.elastic_beanstalk_enhanced_health_reporting_enabled, - control.cloudtrail_trail_integrated_with_logs, - control.cloudtrail_trail_enabled, + control.cloudtrail_multi_region_trail_enabled, control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, control.cloudwatch_alarm_action_enabled, + control.cloudwatch_log_group_retention_period_365, + control.elastic_beanstalk_enhanced_health_reporting_enabled, control.elb_application_classic_lb_logging_enabled, control.guardduty_enabled, + control.lambda_function_concurrent_execution_limit_configured, + control.lambda_function_dead_letter_queue_configured, + control.rds_db_instance_and_cluster_enhanced_monitoring_enabled, + control.rds_db_instance_logging_enabled, control.redshift_cluster_encryption_logging_enabled, control.s3_bucket_logging_enabled, - control.vpc_flow_logs_enabled + control.securityhub_enabled, + control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled, ] tags = local.nist_800_53_rev_5_common_tags @@ -738,17 +737,17 @@ benchmark "nist_800_53_rev_5_au_14_3" { title = "AU-14(3) Remote Viewing And Listening" description = "Provide and implement the capability for authorized users to remotely view and hear content related to an established user session in real time." children = [ - control.cloudtrail_multi_region_trail_enabled, - control.rds_db_instance_logging_enabled, - control.wafv2_web_acl_logging_enabled, control.apigateway_stage_logging_enabled, - control.cloudtrail_trail_integrated_with_logs, - control.cloudtrail_trail_enabled, + control.cloudtrail_multi_region_trail_enabled, control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, control.elb_application_classic_lb_logging_enabled, + control.rds_db_instance_logging_enabled, control.redshift_cluster_encryption_logging_enabled, control.s3_bucket_logging_enabled, control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled, ] tags = local.nist_800_53_rev_5_common_tags diff --git a/nist_800_53_rev_5/ca.sp b/nist_800_53_rev_5/ca.sp index 0a72dfb7..b887ab37 100644 --- a/nist_800_53_rev_5/ca.sp +++ b/nist_800_53_rev_5/ca.sp @@ -25,11 +25,11 @@ benchmark "nist_800_53_rev_5_ca_2_2" { title = "CA-2(2) Specialized Assessments" description = "Include as part of control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious user testing; insider threat assessment; performance and load testing; data leakage or data loss assessment; [Assignment: organization-defined other forms of assessment]]." children = [ - control.lambda_function_dead_letter_queue_configured, - control.rds_db_instance_and_cluster_enhanced_monitoring_enabled, control.autoscaling_group_with_lb_use_health_check, - control.elastic_beanstalk_enhanced_health_reporting_enabled, control.cloudwatch_alarm_action_enabled, + control.elastic_beanstalk_enhanced_health_reporting_enabled, + control.lambda_function_dead_letter_queue_configured, + control.rds_db_instance_and_cluster_enhanced_monitoring_enabled ] tags = local.nist_800_53_rev_5_common_tags @@ -50,16 +50,16 @@ benchmark "nist_800_53_rev_5_ca_7" { title = "Continuous Monitoring (CA-7)" description = "Continuously monitor configuration management processes. Determine security impact, environment and operational risks." children = [ - control.lambda_function_concurrent_execution_limit_configured, - control.lambda_function_dead_letter_queue_configured, - control.rds_db_instance_and_cluster_enhanced_monitoring_enabled, - control.securityhub_enabled, + benchmark.nist_800_53_rev_5_ca_7_4, + benchmark.nist_800_53_rev_5_ca_7_b, control.autoscaling_group_with_lb_use_health_check, - control.elastic_beanstalk_enhanced_health_reporting_enabled, control.cloudwatch_alarm_action_enabled, + control.elastic_beanstalk_enhanced_health_reporting_enabled, control.guardduty_enabled, - benchmark.nist_800_53_rev_5_ca_7_4, - benchmark.nist_800_53_rev_5_ca_7_b + control.lambda_function_concurrent_execution_limit_configured, + control.lambda_function_dead_letter_queue_configured, + control.rds_db_instance_and_cluster_enhanced_monitoring_enabled, + control.securityhub_enabled ] tags = local.nist_800_53_rev_5_common_tags @@ -69,26 +69,26 @@ benchmark "nist_800_53_rev_5_ca_7_b" { title = "CA-7(b)" description = "Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness;" children = [ - control.cloudwatch_log_group_retention_period_365, - control.lambda_function_concurrent_execution_limit_configured, - control.lambda_function_dead_letter_queue_configured, - control.cloudtrail_multi_region_trail_enabled, - control.rds_db_instance_and_cluster_enhanced_monitoring_enabled, - control.rds_db_instance_logging_enabled, - control.securityhub_enabled, - control.wafv2_web_acl_logging_enabled, control.apigateway_stage_logging_enabled, control.autoscaling_group_with_lb_use_health_check, - control.elastic_beanstalk_enhanced_health_reporting_enabled, - control.cloudtrail_trail_integrated_with_logs, - control.cloudtrail_trail_enabled, + control.cloudtrail_multi_region_trail_enabled, control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, control.cloudwatch_alarm_action_enabled, + control.cloudwatch_log_group_retention_period_365, + control.elastic_beanstalk_enhanced_health_reporting_enabled, control.elb_application_classic_lb_logging_enabled, control.guardduty_enabled, + control.lambda_function_concurrent_execution_limit_configured, + control.lambda_function_dead_letter_queue_configured, + control.rds_db_instance_and_cluster_enhanced_monitoring_enabled, + control.rds_db_instance_logging_enabled, control.redshift_cluster_encryption_logging_enabled, control.s3_bucket_logging_enabled, - control.vpc_flow_logs_enabled + control.securityhub_enabled, + control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled ] tags = local.nist_800_53_rev_5_common_tags @@ -129,13 +129,13 @@ benchmark "nist_800_53_rev_5_ca_9_b" { title = "CA-9(b)" description = "b. Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated;" children = [ - control.es_domain_node_to_node_encryption_enabled, - control.elb_classic_lb_use_tls_https_listeners, - control.elb_application_lb_redirect_http_request_to_https, control.apigateway_rest_api_stage_use_ssl_certificate, + control.elb_application_lb_redirect_http_request_to_https, control.elb_classic_lb_use_ssl_certificate, + control.elb_classic_lb_use_tls_https_listeners, + control.es_domain_node_to_node_encryption_enabled, control.redshift_cluster_encryption_in_transit_enabled, - control.s3_bucket_enforces_ssl + control.s3_bucket_enforces_ssl, ] tags = local.nist_800_53_rev_5_common_tags diff --git a/nist_800_53_rev_5/cm.sp b/nist_800_53_rev_5/cm.sp index 23470d42..e4377295 100644 --- a/nist_800_53_rev_5/cm.sp +++ b/nist_800_53_rev_5/cm.sp @@ -19,10 +19,9 @@ benchmark "nist_800_53_rev_5_cm_2" { title = "Baseline Configuration (CM-2)" description = "The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system." children = [ + benchmark.nist_800_53_rev_5_cm_2_2, benchmark.nist_800_53_rev_5_cm_2_a, - benchmark.nist_800_53_rev_5_cm_2_b, - benchmark.nist_800_53_rev_5_cm_2_2 - + benchmark.nist_800_53_rev_5_cm_2_b ] tags = local.nist_800_53_rev_5_common_tags @@ -32,11 +31,11 @@ benchmark "nist_800_53_rev_5_cm_2_a" { title = "CM-2(a)" description = "a. Develop, document, and maintain under configuration control, a current baseline configuration of the system;" children = [ + control.ebs_volume_unsued, control.ec2_instance_ssm_managed, - control.ssm_managed_instance_compliance_association_compliant, control.ec2_stopped_instance_30_days, - control.ebs_volume_unsued, control.elb_application_lb_deletion_protection_enabled, + control.ssm_managed_instance_compliance_association_compliant, control.vpc_security_group_restrict_ingress_common_ports_all, ] @@ -47,16 +46,15 @@ benchmark "nist_800_53_rev_5_cm_2_b" { title = "CM-2(b)" description = "b. Review and update the baseline configuration of the system: 1. [Assignment: organization-defined frequency]; 2. When required due to [Assignment: organization-defined circumstances]; and 3. When system components are installed or upgraded." children = [ + benchmark.nist_800_53_rev_5_cm_2_b_1, + benchmark.nist_800_53_rev_5_cm_2_b_2, + benchmark.nist_800_53_rev_5_cm_2_b_3, + control.account_part_of_organizations, + control.ebs_volume_unsued, control.ec2_instance_ssm_managed, - control.ssm_managed_instance_compliance_association_compliant, control.ec2_stopped_instance_30_days, - control.ebs_volume_unsued, - control.account_part_of_organizations, control.redshift_cluster_maintenance_settings_check, - benchmark.nist_800_53_rev_5_cm_2_b_1, - benchmark.nist_800_53_rev_5_cm_2_b_2, - benchmark.nist_800_53_rev_5_cm_2_b_3 - + control.ssm_managed_instance_compliance_association_compliant, ] tags = local.nist_800_53_rev_5_common_tags @@ -66,12 +64,12 @@ benchmark "nist_800_53_rev_5_cm_2_b_1" { title = "CM-2(b)(1)" description = "b. Review and update the baseline configuration of the system: 1. [Assignment: organization-defined frequency];" children = [ - control.ec2_instance_ssm_managed, control.account_part_of_organizations, - control.ssm_managed_instance_compliance_association_compliant, - control.ec2_stopped_instance_30_days, control.ebs_volume_unsued, + control.ec2_instance_ssm_managed, + control.ec2_stopped_instance_30_days, control.redshift_cluster_maintenance_settings_check, + control.ssm_managed_instance_compliance_association_compliant, ] tags = local.nist_800_53_rev_5_common_tags @@ -81,12 +79,12 @@ benchmark "nist_800_53_rev_5_cm_2_b_2" { title = "CM-2(b)(2)" description = "b. Review and update the baseline configuration of the system: 2. When required due to [Assignment: organization-defined circumstances];" children = [ - control.ec2_instance_ssm_managed, control.account_part_of_organizations, - control.ssm_managed_instance_compliance_association_compliant, - control.ec2_stopped_instance_30_days, control.ebs_volume_unsued, + control.ec2_instance_ssm_managed, + control.ec2_stopped_instance_30_days, control.redshift_cluster_maintenance_settings_check, + control.ssm_managed_instance_compliance_association_compliant, ] tags = local.nist_800_53_rev_5_common_tags @@ -111,11 +109,11 @@ benchmark "nist_800_53_rev_5_cm_2_2" { title = "CM-2(2) Automation Support For AccuracyY And Currency" description = "Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using [Assignment: organization-defined automated mechanisms]." children = [ + control.ebs_volume_unsued, control.ec2_instance_ssm_managed, - control.ssm_managed_instance_compliance_association_compliant, control.ec2_stopped_instance_30_days, - control.ebs_volume_unsued, control.elb_application_lb_deletion_protection_enabled, + control.ssm_managed_instance_compliance_association_compliant, control.vpc_security_group_restrict_ingress_common_ports_all ] @@ -126,8 +124,8 @@ benchmark "nist_800_53_rev_5_cm_3" { title = "Configuration Change Control (CM-3)" description = "The organization authorizes, documents, and controls changes to the information system." children = [ - benchmark.nist_800_53_rev_5_cm_3_a, - benchmark.nist_800_53_rev_5_cm_3_3 + benchmark.nist_800_53_rev_5_cm_3_3, + benchmark.nist_800_53_rev_5_cm_3_a ] tags = local.nist_800_53_rev_5_common_tags @@ -148,12 +146,12 @@ benchmark "nist_800_53_rev_5_cm_3_3" { title = "CM-3(3) Automated Change Implementation" description = "Implement changes to the current system baseline and deploy the updated baseline across the installed base using [Assignment: organization-defined automated mechanisms]." children = [ - control.ec2_instance_ssm_managed, - control.ssm_managed_instance_compliance_association_compliant, - control.ec2_stopped_instance_30_days, control.account_part_of_organizations, control.ebs_volume_unsued, + control.ec2_instance_ssm_managed, + control.ec2_stopped_instance_30_days, control.redshift_cluster_maintenance_settings_check, + control.ssm_managed_instance_compliance_association_compliant, ] tags = local.nist_800_53_rev_5_common_tags @@ -184,24 +182,24 @@ benchmark "nist_800_53_rev_5_cm_5_1_a" { title = "CM-5(1)(a)" description = "(a) Enforce access restrictions using [Assignment: organization-defined automated mechanisms];" children = [ - control.ec2_instance_uses_imdsv2, control.ec2_instance_iam_profile_attached, + control.ec2_instance_uses_imdsv2, control.ecs_task_definition_user_for_host_mode_check, - control.iam_group_user_role_no_inline_policies, - control.secretsmanager_secret_unused_90_day, - control.iam_all_policy_no_service_wild_card, - control.iam_user_access_key_age_90, control.iam_account_password_policy_min_length_14, + control.iam_all_policy_no_service_wild_card, + control.iam_group_user_role_no_inline_policies, control.iam_policy_no_star_star, + control.iam_root_user_hardware_mfa_enabled, control.iam_root_user_no_access_keys, + control.iam_user_access_key_age_90, + control.iam_user_console_access_mfa_enabled, control.iam_user_in_group, control.iam_user_mfa_enabled, control.iam_user_no_inline_attached_policies, control.iam_user_unused_credentials_90, - control.iam_user_console_access_mfa_enabled, - control.iam_root_user_hardware_mfa_enabled, control.secretsmanager_secret_automatic_rotation_enabled, - control.secretsmanager_secret_rotated_as_scheduled + control.secretsmanager_secret_rotated_as_scheduled, + control.secretsmanager_secret_unused_90_day, ] @@ -212,18 +210,17 @@ benchmark "nist_800_53_rev_5_cm_5_1_b" { title = "CM-5(1)(b)" description = "(b) Automatically generate audit records of the enforcement actions." children = [ - control.cloudtrail_multi_region_trail_enabled, - control.wafv2_web_acl_logging_enabled, control.apigateway_stage_logging_enabled, - control.cloudtrail_trail_integrated_with_logs, - control.cloudtrail_trail_enabled, + control.cloudtrail_multi_region_trail_enabled, control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, control.elb_application_classic_lb_logging_enabled, control.rds_db_instance_logging_enabled, control.redshift_cluster_encryption_logging_enabled, control.s3_bucket_logging_enabled, - control.vpc_flow_logs_enabled - + control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled ] tags = local.nist_800_53_rev_5_common_tags @@ -233,9 +230,9 @@ benchmark "nist_800_53_rev_5_cm_6" { title = "Configuration Settings (CM-6)" description = "The organization: (i) establishes mandatory configuration settings for information technology products employed within the information system; (ii) configures the security settings of information technology products to the most restrictive mode consistent with operational requirements; (iii) documents the configuration settings; and (iv) enforces the configuration settings in all components of the information system" children = [ + benchmark.nist_800_53_rev_5_cm_6_a, control.ec2_instance_ssm_managed, - control.ssm_managed_instance_compliance_association_compliant, - benchmark.nist_800_53_rev_5_cm_6_a + control.ssm_managed_instance_compliance_association_compliant ] tags = local.nist_800_53_rev_5_common_tags @@ -245,39 +242,39 @@ benchmark "nist_800_53_rev_5_cm_6_a" { title = "CM-6(a)" description = "a. Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: organization-defined common secure configurations];" children = [ - control.autoscaling_launch_config_public_ip_disabled, - control.kms_cmk_rotation_enabled, - control.ec2_instance_iam_profile_attached, - control.ec2_ebs_default_encryption_enabled, - control.iam_group_user_role_no_inline_policies, - control.cloudtrail_multi_region_trail_enabled, - control.iam_user_access_key_age_90, control.account_part_of_organizations, control.autoscaling_group_with_lb_use_health_check, + control.autoscaling_launch_config_public_ip_disabled, + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, control.cloudtrail_trail_integrated_with_logs, control.cloudtrail_trail_logs_encrypted_with_kms_cmk, control.cloudtrail_trail_validation_enabled, - control.cloudtrail_s3_data_events_enabled, control.ebs_attached_volume_encryption_enabled, + control.ec2_ebs_default_encryption_enabled, + control.ec2_instance_iam_profile_attached, control.iam_account_password_policy_min_length_14, + control.iam_group_user_role_no_inline_policies, control.iam_policy_no_star_star, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, control.iam_root_user_no_access_keys, + control.iam_user_access_key_age_90, + control.iam_user_console_access_mfa_enabled, control.iam_user_in_group, control.iam_user_no_inline_attached_policies, control.iam_user_unused_credentials_90, - control.iam_user_console_access_mfa_enabled, - control.vpc_security_group_restrict_ingress_common_ports_all, - control.iam_root_user_hardware_mfa_enabled, - control.iam_root_user_mfa_enabled, - control.s3_public_access_block_account, - control.s3_bucket_logging_enabled, - control.s3_bucket_restrict_public_read_access, - control.s3_bucket_restrict_public_write_access, + control.kms_cmk_rotation_enabled, control.s3_bucket_cross_region_replication_enabled, control.s3_bucket_default_encryption_enabled, control.s3_bucket_enforces_ssl, + control.s3_bucket_logging_enabled, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, control.vpc_default_security_group_restricts_all_traffic, - control.vpc_flow_logs_enabled + control.vpc_flow_logs_enabled, + control.vpc_security_group_restrict_ingress_common_ports_all, ] tags = local.nist_800_53_rev_5_common_tags @@ -297,8 +294,8 @@ benchmark "nist_800_53_rev_5_cm_7_b" { title = "CM-7(b)" description = "b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services]." children = [ - control.vpc_security_group_restrict_ingress_common_ports_all, - control.vpc_route_table_restrict_public_access_to_igw + control.vpc_route_table_restrict_public_access_to_igw, + control.vpc_security_group_restrict_ingress_common_ports_all ] tags = local.nist_800_53_rev_5_common_tags @@ -323,13 +320,13 @@ benchmark "nist_800_53_rev_5_cm_8_a" { title = "CM-8(a)" description = "a. Develop and document an inventory of system components that: 1. Accurately reflects the system; 2. Includes all components within the system; 3. Does not include duplicate accounting of components or components assigned to any other system; 4. Is at the level of granularity deemed necessary for tracking and reporting; and 5. Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability];" children = [ - control.ec2_instance_ssm_managed, - control.ssm_managed_instance_compliance_association_compliant, benchmark.nist_800_53_rev_5_cm_8_a_1, benchmark.nist_800_53_rev_5_cm_8_a_2, benchmark.nist_800_53_rev_5_cm_8_a_3, benchmark.nist_800_53_rev_5_cm_8_a_4, - benchmark.nist_800_53_rev_5_cm_8_a_5 + benchmark.nist_800_53_rev_5_cm_8_a_5, + control.ec2_instance_ssm_managed, + control.ssm_managed_instance_compliance_association_compliant ] tags = local.nist_800_53_rev_5_common_tags @@ -340,7 +337,7 @@ benchmark "nist_800_53_rev_5_cm_8_a_1" { description = "a. Develop and document an inventory of system components that: 1. Accurately reflects the system;" children = [ control.ec2_instance_ssm_managed, - control.ssm_managed_instance_compliance_association_compliant, + control.ssm_managed_instance_compliance_association_compliant ] tags = local.nist_800_53_rev_5_common_tags @@ -351,7 +348,7 @@ benchmark "nist_800_53_rev_5_cm_8_a_2" { description = "a. Develop and document an inventory of system components that: 2. Includes all components within the system;" children = [ control.ec2_instance_ssm_managed, - control.ssm_managed_instance_compliance_association_compliant, + control.ssm_managed_instance_compliance_association_compliant ] tags = local.nist_800_53_rev_5_common_tags @@ -362,7 +359,7 @@ benchmark "nist_800_53_rev_5_cm_8_a_3" { description = "a. Develop and document an inventory of system components that: 3. Does not include duplicate accounting of components or components assigned to any other system;" children = [ control.ec2_instance_ssm_managed, - control.ssm_managed_instance_compliance_association_compliant, + control.ssm_managed_instance_compliance_association_compliant ] tags = local.nist_800_53_rev_5_common_tags @@ -373,7 +370,7 @@ benchmark "nist_800_53_rev_5_cm_8_a_4" { description = "a. Develop and document an inventory of system components that: 4. Is at the level of granularity deemed necessary for tracking and reporting;" children = [ control.ec2_instance_ssm_managed, - control.ssm_managed_instance_compliance_association_compliant, + control.ssm_managed_instance_compliance_association_compliant ] tags = local.nist_800_53_rev_5_common_tags @@ -437,9 +434,9 @@ benchmark "nist_800_53_rev_5_cm_8_3_a" { description = "(a) Detect the presence of unauthorized hardware, software, and firmware components within the system using [Assignment: organization-defined automated mechanisms] [Assignment: organization-defined frequency];" children = [ control.ec2_instance_ssm_managed, + control.guardduty_enabled, control.ssm_managed_instance_compliance_association_compliant, - control.ssm_managed_instance_compliance_patch_compliant, - control.guardduty_enabled + control.ssm_managed_instance_compliance_patch_compliant ] tags = local.nist_800_53_rev_5_common_tags @@ -449,11 +446,11 @@ benchmark "nist_800_53_rev_5_cm_8_6" { title = "CM-8(6) Assessed Configurations And Approved Deviations" description = "Include assessed component configurations and any approved deviations to current deployed configurations in the system component inventory." children = [ + control.ebs_volume_unsued, control.ec2_instance_ssm_managed, - control.ssm_managed_instance_compliance_association_compliant, control.ec2_stopped_instance_30_days, - control.ebs_volume_unsued, control.elb_application_lb_deletion_protection_enabled, + control.ssm_managed_instance_compliance_association_compliant, control.vpc_security_group_restrict_ingress_common_ports_all ] @@ -474,38 +471,38 @@ benchmark "nist_800_53_rev_5_cm_9_b" { title = "CM-9(b)" description = "Develop, document, and implement a configuration management plan for the system that: b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;" children = [ - control.kms_cmk_rotation_enabled, control.account_part_of_organizations, - control.ec2_ebs_default_encryption_enabled, - control.iam_group_user_role_no_inline_policies, - control.vpc_security_group_restrict_ingress_ssh_all, - control.cloudtrail_multi_region_trail_enabled, - control.iam_user_access_key_age_90, control.autoscaling_group_with_lb_use_health_check, + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, control.cloudtrail_trail_integrated_with_logs, control.cloudtrail_trail_logs_encrypted_with_kms_cmk, control.cloudtrail_trail_validation_enabled, - control.cloudtrail_s3_data_events_enabled, control.ebs_attached_volume_encryption_enabled, + control.ec2_ebs_default_encryption_enabled, control.iam_account_password_policy_min_length_14, + control.iam_group_user_role_no_inline_policies, control.iam_policy_no_star_star, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, control.iam_root_user_no_access_keys, + control.iam_user_access_key_age_90, + control.iam_user_console_access_mfa_enabled, control.iam_user_in_group, control.iam_user_no_inline_attached_policies, control.iam_user_unused_credentials_90, - control.iam_user_console_access_mfa_enabled, - control.vpc_security_group_restrict_ingress_common_ports_all, - control.iam_root_user_hardware_mfa_enabled, - control.iam_root_user_mfa_enabled, - control.s3_public_access_block_account, - control.s3_bucket_logging_enabled, - control.s3_bucket_restrict_public_read_access, - control.s3_bucket_restrict_public_write_access, + control.kms_cmk_rotation_enabled, control.s3_bucket_cross_region_replication_enabled, control.s3_bucket_default_encryption_enabled, control.s3_bucket_enforces_ssl, + control.s3_bucket_logging_enabled, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, control.vpc_default_security_group_restricts_all_traffic, - control.vpc_flow_logs_enabled + control.vpc_flow_logs_enabled, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.vpc_security_group_restrict_ingress_ssh_all, ] tags = local.nist_800_53_rev_5_common_tags diff --git a/nist_800_53_rev_5/cp.sp b/nist_800_53_rev_5/cp.sp index 987fcc5e..95cd8cc4 100644 --- a/nist_800_53_rev_5/cp.sp +++ b/nist_800_53_rev_5/cp.sp @@ -16,8 +16,8 @@ benchmark "nist_800_53_rev_5_cp_1" { title = "Policy And Procedures (CP-1)" description = "a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] contingency planning policy that: a). Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b). Is consistent with applicable laws, executive orders, directives regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and c. Review and update the current contingency planning: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]." children = [ - benchmark.nist_800_53_rev_5_cp_1_a, - benchmark.nist_800_53_rev_5_cp_1_2 + benchmark.nist_800_53_rev_5_cp_1_2, + benchmark.nist_800_53_rev_5_cp_1_a ] tags = local.nist_800_53_rev_5_common_tags @@ -27,8 +27,8 @@ benchmark "nist_800_53_rev_5_cp_1_a" { title = "CP-1(a)" description = "a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] contingency planning policy that: a). Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b). Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls;" children = [ - benchmark.nist_800_53_rev_5_cp_1_a_1_b, benchmark.nist_800_53_rev_5_cp_1_a_2, + benchmark.nist_800_53_rev_5_cp_1_a_1_b ] tags = local.nist_800_53_rev_5_common_tags @@ -38,10 +38,10 @@ benchmark "nist_800_53_rev_5_cp_1_a_1_b" { title = "CP-1(a)(1)(b)" description = "a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] contingency planning policy that: (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;" children = [ - control.elb_classic_lb_cross_zone_load_balancing_enabled, - control.rds_db_instance_deletion_protection_enabled, control.dynamodb_table_auto_scaling_enabled, control.elb_application_lb_deletion_protection_enabled, + control.elb_classic_lb_cross_zone_load_balancing_enabled, + control.rds_db_instance_deletion_protection_enabled, control.rds_db_instance_multiple_az_enabled, control.vpc_vpn_tunnel_up, ] @@ -53,10 +53,10 @@ benchmark "nist_800_53_rev_5_cp_1_a_2" { title = "CP-1(a)(2)" description = "a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 2. Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls;" children = [ - control.elb_classic_lb_cross_zone_load_balancing_enabled, - control.rds_db_instance_deletion_protection_enabled, control.dynamodb_table_auto_scaling_enabled, control.elb_application_lb_deletion_protection_enabled, + control.elb_classic_lb_cross_zone_load_balancing_enabled, + control.rds_db_instance_deletion_protection_enabled, control.rds_db_instance_multiple_az_enabled, control.vpc_vpn_tunnel_up, ] @@ -102,14 +102,14 @@ benchmark "nist_800_53_rev_5_cp_2_a" { title = "CP-2(a)" description = "a. Develop a contingency plan for the system that: 1. Identifies essential mission and business functions and associated contingency requirements; 2. Provides recovery objectives, restoration priorities, and metrics; 3. Addresses contingency roles, responsibilities, assigned individuals with contact information; 4. Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure; 5. Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented; 6. Addresses the sharing of contingency information; and 7. Is reviewed and approved by [Assignment: organization-defined personnel or roles];" children = [ - control.elb_classic_lb_cross_zone_load_balancing_enabled, - control.rds_db_instance_deletion_protection_enabled, + benchmark.nist_800_53_rev_5_cp_2_a_6, + benchmark.nist_800_53_rev_5_cp_2_a_7, control.dynamodb_table_auto_scaling_enabled, control.elb_application_lb_deletion_protection_enabled, + control.elb_classic_lb_cross_zone_load_balancing_enabled, + control.rds_db_instance_deletion_protection_enabled, control.rds_db_instance_multiple_az_enabled, - control.vpc_vpn_tunnel_up, - benchmark.nist_800_53_rev_5_cp_2_a_6, - benchmark.nist_800_53_rev_5_cp_2_a_7 + control.vpc_vpn_tunnel_up ] tags = local.nist_800_53_rev_5_common_tags @@ -119,12 +119,12 @@ benchmark "nist_800_53_rev_5_cp_2_a_6" { title = "CP-2(a)(6)" description = "a. Develop a contingency plan for the system that: 6. Addresses the sharing of contingency information;" children = [ - control.elb_classic_lb_cross_zone_load_balancing_enabled, - control.rds_db_instance_deletion_protection_enabled, control.dynamodb_table_auto_scaling_enabled, control.elb_application_lb_deletion_protection_enabled, + control.elb_classic_lb_cross_zone_load_balancing_enabled, + control.rds_db_instance_deletion_protection_enabled, control.rds_db_instance_multiple_az_enabled, - control.vpc_vpn_tunnel_up, + control.vpc_vpn_tunnel_up ] tags = local.nist_800_53_rev_5_common_tags @@ -134,12 +134,12 @@ benchmark "nist_800_53_rev_5_cp_2_a_7" { title = "CP-2(a)(7)" description = "a. Develop a contingency plan for the system that: 7. Is reviewed and approved by [Assignment: organization-defined personnel or roles];" children = [ - control.elb_classic_lb_cross_zone_load_balancing_enabled, - control.rds_db_instance_deletion_protection_enabled, control.dynamodb_table_auto_scaling_enabled, control.elb_application_lb_deletion_protection_enabled, + control.elb_classic_lb_cross_zone_load_balancing_enabled, + control.rds_db_instance_deletion_protection_enabled, control.rds_db_instance_multiple_az_enabled, - control.vpc_vpn_tunnel_up, + control.vpc_vpn_tunnel_up ] tags = local.nist_800_53_rev_5_common_tags @@ -149,12 +149,12 @@ benchmark "nist_800_53_rev_5_cp_2_d" { title = "CP-2(d)" description = "d. Review the contingency plan for the system [Assignment: organization-defined frequency];" children = [ - control.elb_classic_lb_cross_zone_load_balancing_enabled, - control.rds_db_instance_deletion_protection_enabled, control.dynamodb_table_auto_scaling_enabled, control.elb_application_lb_deletion_protection_enabled, + control.elb_classic_lb_cross_zone_load_balancing_enabled, + control.rds_db_instance_deletion_protection_enabled, control.rds_db_instance_multiple_az_enabled, - control.vpc_vpn_tunnel_up, + control.vpc_vpn_tunnel_up ] tags = local.nist_800_53_rev_5_common_tags @@ -164,10 +164,10 @@ benchmark "nist_800_53_rev_5_cp_2_e" { title = "CP-2(e)" description = "e. Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;" children = [ - control.elb_classic_lb_cross_zone_load_balancing_enabled, - control.rds_db_instance_deletion_protection_enabled, control.dynamodb_table_auto_scaling_enabled, control.elb_application_lb_deletion_protection_enabled, + control.elb_classic_lb_cross_zone_load_balancing_enabled, + control.rds_db_instance_deletion_protection_enabled, control.rds_db_instance_multiple_az_enabled, control.vpc_vpn_tunnel_up, ] @@ -179,23 +179,23 @@ benchmark "nist_800_53_rev_5_cp_2_5" { title = "CP-2(5) Continue Mission And Business Functions" description = "Plan for the continuance of [Selection: all; essential] mission and business functions with minimal or no loss of operational continuity and sustains that continuity until full system restoration at primary processing and/or storage sites." children = [ + control.dynamodb_table_auto_scaling_enabled, control.dynamodb_table_in_backup_plan, + control.dynamodb_table_point_in_time_recovery_enabled, control.ebs_volume_in_backup_plan, + control.ec2_instance_ebs_optimized, control.efs_file_system_in_backup_plan, + control.elasticache_redis_cluster_automatic_backup_retention_15_days, + control.elb_application_lb_deletion_protection_enabled, control.elb_classic_lb_cross_zone_load_balancing_enabled, + control.rds_db_instance_backup_enabled, control.rds_db_instance_deletion_protection_enabled, control.rds_db_instance_in_backup_plan, - control.redshift_cluster_automatic_snapshots_min_7_days, - control.rds_db_instance_backup_enabled, - control.dynamodb_table_auto_scaling_enabled, - control.dynamodb_table_point_in_time_recovery_enabled, - control.ec2_instance_ebs_optimized, - control.elasticache_redis_cluster_automatic_backup_retention_15_days, - control.elb_application_lb_deletion_protection_enabled, control.rds_db_instance_multiple_az_enabled, + control.redshift_cluster_automatic_snapshots_min_7_days, control.s3_bucket_cross_region_replication_enabled, control.s3_bucket_versioning_enabled, - control.vpc_vpn_tunnel_up, + control.vpc_vpn_tunnel_up ] tags = local.nist_800_53_rev_5_common_tags @@ -205,8 +205,8 @@ benchmark "nist_800_53_rev_5_cp_2_6" { title = "CP-2(6) Alternate Processing And Storage Sites" description = "Plan for the transfer of [Selection: all; essential] mission and business functions to alternate processing and/or storage sites with minimal or no loss of operational continuity and sustain that continuity through system restoration to primary processing and/or storage sites." children = [ - control.elb_classic_lb_cross_zone_load_balancing_enabled, control.dynamodb_table_auto_scaling_enabled, + control.elb_classic_lb_cross_zone_load_balancing_enabled, control.rds_db_instance_multiple_az_enabled, control.vpc_vpn_tunnel_up, ] @@ -218,9 +218,9 @@ benchmark "nist_800_53_rev_5_cp_6" { title = "Alternate Storage Sites (CP-6)" description = "a. Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and b. Ensure that the alternate storage site provides controls equivalent to that of the primary site." children = [ - benchmark.nist_800_53_rev_5_cp_6_a, benchmark.nist_800_53_rev_5_cp_6_1, - benchmark.nist_800_53_rev_5_cp_6_2 + benchmark.nist_800_53_rev_5_cp_6_2, + benchmark.nist_800_53_rev_5_cp_6_a ] tags = local.nist_800_53_rev_5_common_tags @@ -233,12 +233,12 @@ benchmark "nist_800_53_rev_5_cp_6_a" { control.dynamodb_table_in_backup_plan, control.ebs_volume_in_backup_plan, control.efs_file_system_in_backup_plan, + control.elasticache_redis_cluster_automatic_backup_retention_15_days, + control.rds_db_instance_backup_enabled, control.rds_db_instance_in_backup_plan, control.redshift_cluster_automatic_snapshots_min_7_days, - control.rds_db_instance_backup_enabled, - control.elasticache_redis_cluster_automatic_backup_retention_15_days, control.s3_bucket_cross_region_replication_enabled, - control.s3_bucket_versioning_enabled, + control.s3_bucket_versioning_enabled ] tags = local.nist_800_53_rev_5_common_tags @@ -251,12 +251,12 @@ benchmark "nist_800_53_rev_5_cp_6_1" { control.dynamodb_table_in_backup_plan, control.ebs_volume_in_backup_plan, control.efs_file_system_in_backup_plan, + control.elasticache_redis_cluster_automatic_backup_retention_15_days, + control.rds_db_instance_backup_enabled, control.rds_db_instance_in_backup_plan, control.redshift_cluster_automatic_snapshots_min_7_days, - control.rds_db_instance_backup_enabled, - control.elasticache_redis_cluster_automatic_backup_retention_15_days, control.s3_bucket_cross_region_replication_enabled, - control.s3_bucket_versioning_enabled, + control.s3_bucket_versioning_enabled ] tags = local.nist_800_53_rev_5_common_tags @@ -266,20 +266,20 @@ benchmark "nist_800_53_rev_5_cp_6_2" { title = "CP-6(2) Recovery Time And Recovery Point Objectives" description = "Configure the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives." children = [ + control.dynamodb_table_auto_scaling_enabled, control.dynamodb_table_in_backup_plan, + control.dynamodb_table_point_in_time_recovery_enabled, control.ebs_volume_in_backup_plan, control.efs_file_system_in_backup_plan, + control.elasticache_redis_cluster_automatic_backup_retention_15_days, control.elb_classic_lb_cross_zone_load_balancing_enabled, - control.rds_db_instance_in_backup_plan, - control.redshift_cluster_automatic_snapshots_min_7_days, control.rds_db_instance_backup_enabled, - control.dynamodb_table_auto_scaling_enabled, - control.dynamodb_table_point_in_time_recovery_enabled, - control.elasticache_redis_cluster_automatic_backup_retention_15_days, + control.rds_db_instance_in_backup_plan, control.rds_db_instance_multiple_az_enabled, + control.redshift_cluster_automatic_snapshots_min_7_days, control.s3_bucket_cross_region_replication_enabled, control.s3_bucket_versioning_enabled, - control.vpc_vpn_tunnel_up, + control.vpc_vpn_tunnel_up ] tags = local.nist_800_53_rev_5_common_tags @@ -289,12 +289,11 @@ benchmark "nist_800_53_rev_5_cp_9" { title = "System Backup (CP-9)" description = "a. Conduct backups of user-level information contained in [Assignment: organization-defined system components] [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; b. Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; c. Conduct backups of system documentation, including security- and privacy-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and d. Protect the confidentiality, integrity, and availability of backup information." children = [ + benchmark.nist_800_53_rev_5_cp_9_8, benchmark.nist_800_53_rev_5_cp_9_a, benchmark.nist_800_53_rev_5_cp_9_b, benchmark.nist_800_53_rev_5_cp_9_c, benchmark.nist_800_53_rev_5_cp_9_d, - benchmark.nist_800_53_rev_5_cp_9_8 - ] tags = local.nist_800_53_rev_5_common_tags @@ -305,17 +304,17 @@ benchmark "nist_800_53_rev_5_cp_9_a" { description = "a. Conduct backups of user-level information contained in [Assignment: organization-defined system components] [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];" children = [ control.dynamodb_table_in_backup_plan, + control.dynamodb_table_point_in_time_recovery_enabled, control.ebs_volume_in_backup_plan, + control.ec2_instance_ebs_optimized, control.efs_file_system_in_backup_plan, + control.elasticache_redis_cluster_automatic_backup_retention_15_days, + control.rds_db_instance_backup_enabled, control.rds_db_instance_in_backup_plan, control.redshift_cluster_automatic_snapshots_min_7_days, - control.rds_db_instance_backup_enabled, - control.dynamodb_table_point_in_time_recovery_enabled, - control.ec2_instance_ebs_optimized, - control.elasticache_redis_cluster_automatic_backup_retention_15_days, control.redshift_cluster_maintenance_settings_check, control.s3_bucket_cross_region_replication_enabled, - control.s3_bucket_versioning_enabled, + control.s3_bucket_versioning_enabled ] tags = local.nist_800_53_rev_5_common_tags @@ -326,14 +325,14 @@ benchmark "nist_800_53_rev_5_cp_9_b" { description = "b. Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];" children = [ control.dynamodb_table_in_backup_plan, + control.dynamodb_table_point_in_time_recovery_enabled, control.ebs_volume_in_backup_plan, + control.ec2_instance_ebs_optimized, control.efs_file_system_in_backup_plan, + control.elasticache_redis_cluster_automatic_backup_retention_15_days, + control.rds_db_instance_backup_enabled, control.rds_db_instance_in_backup_plan, control.redshift_cluster_automatic_snapshots_min_7_days, - control.rds_db_instance_backup_enabled, - control.dynamodb_table_point_in_time_recovery_enabled, - control.ec2_instance_ebs_optimized, - control.elasticache_redis_cluster_automatic_backup_retention_15_days, control.redshift_cluster_maintenance_settings_check, control.s3_bucket_cross_region_replication_enabled, control.s3_bucket_versioning_enabled, @@ -367,24 +366,24 @@ benchmark "nist_800_53_rev_5_cp_9_d" { title = "CP-9(d)" description = "d. Protect the confidentiality, integrity, and availability of backup information." children = [ - control.dynamodb_table_in_backup_plan, - control.ec2_ebs_default_encryption_enabled, - control.rds_db_snapshot_encrypted_at_rest, - control.s3_bucket_default_encryption_enabled_kms, - control.sagemaker_notebook_instance_encryption_at_rest_enabled, - control.sns_topic_encrypted_at_rest, control.apigateway_stage_cache_encryption_at_rest_enabled, - control.secretsmanager_secret_encrypted_with_kms_cmk, control.cloudtrail_trail_logs_encrypted_with_kms_cmk, - control.log_group_encryption_at_rest_enabled, + control.dynamodb_table_in_backup_plan, + control.ebs_attached_volume_encryption_enabled, + control.ec2_ebs_default_encryption_enabled, control.efs_file_system_encrypt_data_at_rest, control.es_domain_encryption_at_rest_enabled, - control.ebs_attached_volume_encryption_enabled, + control.log_group_encryption_at_rest_enabled, control.rds_db_instance_encryption_at_rest_enabled, + control.rds_db_snapshot_encrypted_at_rest, control.redshift_cluster_encryption_logging_enabled, control.redshift_cluster_kms_enabled, + control.s3_bucket_default_encryption_enabled_kms, control.s3_bucket_default_encryption_enabled, - control.sagemaker_endpoint_configuration_encryption_at_rest_enabled + control.sagemaker_endpoint_configuration_encryption_at_rest_enabled, + control.sagemaker_notebook_instance_encryption_at_rest_enabled, + control.secretsmanager_secret_encrypted_with_kms_cmk, + control.sns_topic_encrypted_at_rest, ] tags = local.nist_800_53_rev_5_common_tags @@ -395,8 +394,8 @@ benchmark "nist_800_53_rev_5_cp_9_8" { description = "Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined backup information]." children = [ control.rds_db_snapshot_encrypted_at_rest, - control.s3_bucket_default_encryption_enabled_kms, - control.s3_bucket_default_encryption_enabled + control.s3_bucket_default_encryption_enabled, + control.s3_bucket_default_encryption_enabled_kms ] tags = local.nist_800_53_rev_5_common_tags @@ -406,23 +405,22 @@ benchmark "nist_800_53_rev_5_cp_10" { title = "System Recovery And Reconstitution (CP-10)" description = "Provide for the recovery and reconstitution of the system to a known state within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] after a disruption, compromise, or failure." children = [ + benchmark.nist_800_53_rev_5_cp_10_2, + control.dynamodb_table_auto_scaling_enabled, control.dynamodb_table_in_backup_plan, + control.dynamodb_table_point_in_time_recovery_enabled, control.ebs_volume_in_backup_plan, + control.ec2_instance_ebs_optimized, control.efs_file_system_in_backup_plan, + control.elasticache_redis_cluster_automatic_backup_retention_15_days, control.elb_classic_lb_cross_zone_load_balancing_enabled, - control.rds_db_instance_in_backup_plan, - control.redshift_cluster_automatic_snapshots_min_7_days, control.rds_db_instance_backup_enabled, - control.dynamodb_table_auto_scaling_enabled, - control.dynamodb_table_point_in_time_recovery_enabled, - control.ec2_instance_ebs_optimized, - control.elasticache_redis_cluster_automatic_backup_retention_15_days, + control.rds_db_instance_in_backup_plan, control.rds_db_instance_multiple_az_enabled, + control.redshift_cluster_automatic_snapshots_min_7_days, control.s3_bucket_cross_region_replication_enabled, control.s3_bucket_versioning_enabled, control.vpc_vpn_tunnel_up, - benchmark.nist_800_53_rev_5_cp_10_2 - ] tags = local.nist_800_53_rev_5_common_tags @@ -433,13 +431,13 @@ benchmark "nist_800_53_rev_5_cp_10_2" { description = "Implement transaction recovery for systems that are transaction-based." children = [ control.dynamodb_table_in_backup_plan, + control.dynamodb_table_point_in_time_recovery_enabled, control.ebs_volume_in_backup_plan, control.efs_file_system_in_backup_plan, + control.elasticache_redis_cluster_automatic_backup_retention_15_days, + control.rds_db_instance_backup_enabled, control.rds_db_instance_in_backup_plan, control.redshift_cluster_automatic_snapshots_min_7_days, - control.rds_db_instance_backup_enabled, - control.dynamodb_table_point_in_time_recovery_enabled, - control.elasticache_redis_cluster_automatic_backup_retention_15_days, control.s3_bucket_cross_region_replication_enabled, control.s3_bucket_versioning_enabled, ] diff --git a/nist_800_53_rev_5/ia.sp b/nist_800_53_rev_5/ia.sp index 42dbee64..df4285c8 100644 --- a/nist_800_53_rev_5/ia.sp +++ b/nist_800_53_rev_5/ia.sp @@ -16,11 +16,11 @@ benchmark "nist_800_53_rev_5_ia_2" { title = "Identification and Authentication (Organizational users) (IA-2)" description = "The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users)." children = [ - control.iam_root_user_no_access_keys, benchmark.nist_800_53_rev_5_ia_2_1, benchmark.nist_800_53_rev_5_ia_2_2, benchmark.nist_800_53_rev_5_ia_2_6, - benchmark.nist_800_53_rev_5_ia_2_8 + benchmark.nist_800_53_rev_5_ia_2_8, + control.iam_root_user_no_access_keys ] tags = merge(local.nist_800_53_rev_5_common_tags, { @@ -32,10 +32,10 @@ benchmark "nist_800_53_rev_5_ia_2_1" { title = "IA-2(1) Multi-Factor Authentication To Privileged Accounts" description = "Implement multi-factor authentication for access to privileged accounts." children = [ - control.iam_user_mfa_enabled, - control.iam_user_console_access_mfa_enabled, control.iam_root_user_hardware_mfa_enabled, - control.iam_root_user_mfa_enabled + control.iam_root_user_mfa_enabled, + control.iam_user_console_access_mfa_enabled, + control.iam_user_mfa_enabled ] tags = merge(local.nist_800_53_rev_5_common_tags, { @@ -47,10 +47,10 @@ benchmark "nist_800_53_rev_5_ia_2_2" { title = "IA-2(2) Multi-Factor Authentication To Non-Privileged Accounts" description = "Implement multi-factor authentication for access to non-privileged accounts." children = [ - control.iam_user_console_access_mfa_enabled, - control.iam_user_mfa_enabled, control.iam_root_user_hardware_mfa_enabled, - control.iam_root_user_mfa_enabled + control.iam_root_user_mfa_enabled, + control.iam_user_console_access_mfa_enabled, + control.iam_user_mfa_enabled ] tags = merge(local.nist_800_53_rev_5_common_tags, { @@ -62,11 +62,11 @@ benchmark "nist_800_53_rev_5_ia_2_6" { title = "IA-2(6) Acces To Accounts — Separate Device" description = "Implement multi-factor authentication for [Selection (one or more): local; network; remote] access to [Selection (one or more): privileged accounts; non-privileged accounts] such that: (a) One of the factors is provided by a device separate from the system gaining access; and (b) The device meets [Assignment: organization-defined strength of mechanism requirements]." children = [ - control.iam_user_console_access_mfa_enabled, - control.iam_user_mfa_enabled, + benchmark.nist_800_53_rev_5_ia_2_6_a, control.iam_root_user_hardware_mfa_enabled, control.iam_root_user_mfa_enabled, - benchmark.nist_800_53_rev_5_ia_2_6_a + control.iam_user_console_access_mfa_enabled, + control.iam_user_mfa_enabled ] tags = merge(local.nist_800_53_rev_5_common_tags, { @@ -78,10 +78,10 @@ benchmark "nist_800_53_rev_5_ia_2_6_a" { title = "IA-2(6)(a)" description = "Implement multi-factor authentication for [Selection (one or more): local; network; remote] access to [Selection (one or more): privileged accounts; non-privileged accounts] such that: (a) One of the factors is provided by a device separate from the system gaining access;" children = [ - control.iam_user_console_access_mfa_enabled, - control.iam_user_mfa_enabled, control.iam_root_user_hardware_mfa_enabled, control.iam_root_user_mfa_enabled, + control.iam_user_console_access_mfa_enabled, + control.iam_user_mfa_enabled, ] tags = merge(local.nist_800_53_rev_5_common_tags, { @@ -93,10 +93,10 @@ benchmark "nist_800_53_rev_5_ia_2_8" { title = "IA-2(8) Access To Accounts — Replay Resistant" description = "Implement replay-resistant authentication mechanisms for access to [Selection (one or more): privileged accounts; non-privileged accounts]." children = [ - control.iam_user_console_access_mfa_enabled, - control.iam_user_mfa_enabled, control.iam_root_user_hardware_mfa_enabled, control.iam_root_user_mfa_enabled, + control.iam_user_console_access_mfa_enabled, + control.iam_user_mfa_enabled, ] tags = merge(local.nist_800_53_rev_5_common_tags, { @@ -149,10 +149,10 @@ benchmark "nist_800_53_rev_5_ia_4" { title = "Identifier Management (IA-4)" description = "Manage information system identifiers for users and devices. Automate authorizing and disabling users to prevent misuse." children = [ + benchmark.nist_800_53_rev_5_ia_4_8, benchmark.nist_800_53_rev_5_ia_4_b, benchmark.nist_800_53_rev_5_ia_4_d, - benchmark.nist_800_53_rev_5_ia_4_4, - benchmark.nist_800_53_rev_5_ia_4_8 + benchmark.nist_800_53_rev_5_ia_4_4 ] tags = merge(local.nist_800_53_rev_5_common_tags, { @@ -212,15 +212,15 @@ benchmark "nist_800_53_rev_5_ia_5" { title = "Authenticator Management (IA-5)" description = "Authenticate users and devices. Automate administrative control. Enforce restrictions. Protect against unauthorized use." children = [ - control.iam_account_password_policy_min_length_14, + benchmark.nist_800_53_rev_5_ia_5_1, + benchmark.nist_800_53_rev_5_ia_5_8, + benchmark.nist_800_53_rev_5_ia_5_18, benchmark.nist_800_53_rev_5_ia_5_b, benchmark.nist_800_53_rev_5_ia_5_c, benchmark.nist_800_53_rev_5_ia_5_d, benchmark.nist_800_53_rev_5_ia_5_f, benchmark.nist_800_53_rev_5_ia_5_h, - benchmark.nist_800_53_rev_5_ia_5_1, - benchmark.nist_800_53_rev_5_ia_5_8, - benchmark.nist_800_53_rev_5_ia_5_18 + control.iam_account_password_policy_min_length_14 ] tags = local.nist_800_53_rev_5_common_tags @@ -303,10 +303,10 @@ benchmark "nist_800_53_rev_5_ia_5_1_c" { title = "IA-5(1)(c)" description = "For password-based authentication: (c) Transmit passwords only over cryptographically-protected channels;" children = [ - control.elb_classic_lb_use_tls_https_listeners, - control.elb_application_lb_redirect_http_request_to_https, control.apigateway_rest_api_stage_use_ssl_certificate, + control.elb_application_lb_redirect_http_request_to_https, control.elb_classic_lb_use_ssl_certificate, + control.elb_classic_lb_use_tls_https_listeners, control.s3_bucket_enforces_ssl ] diff --git a/nist_800_53_rev_5/ma.sp b/nist_800_53_rev_5/ma.sp index a2fa3d82..3dc28c4c 100644 --- a/nist_800_53_rev_5/ma.sp +++ b/nist_800_53_rev_5/ma.sp @@ -12,8 +12,8 @@ benchmark "nist_800_53_rev_5_ma_4" { title = "Nonlocal Maintenance (MA-4)" description = "a. Approve and monitor nonlocal maintenance and diagnostic activities; b. Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system; c. Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions; d. Maintain records for nonlocal maintenance and diagnostic activities; and e. Terminate session and network connections when nonlocal maintenance is completed." children = [ - benchmark.nist_800_53_rev_5_ma_4_c, benchmark.nist_800_53_rev_5_ma_4_1, + benchmark.nist_800_53_rev_5_ma_4_c ] tags = local.nist_800_53_rev_5_common_tags @@ -45,17 +45,17 @@ benchmark "nist_800_53_rev_5_ma_4_1_a" { title = "MA-4(1)(a)" description = "(a) Log [Assignment: organization-defined audit events] for nonlocal maintenance and diagnostic sessions;" children = [ - control.cloudtrail_multi_region_trail_enabled, - control.wafv2_web_acl_logging_enabled, control.apigateway_stage_logging_enabled, - control.cloudtrail_trail_integrated_with_logs, - control.cloudtrail_trail_enabled, + control.cloudtrail_multi_region_trail_enabled, control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, control.elb_application_classic_lb_logging_enabled, control.rds_db_instance_logging_enabled, control.redshift_cluster_encryption_logging_enabled, control.s3_bucket_logging_enabled, control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled ] tags = local.nist_800_53_rev_5_common_tags diff --git a/nist_800_53_rev_5/mp.sp b/nist_800_53_rev_5/mp.sp index 19908989..8078524d 100644 --- a/nist_800_53_rev_5/mp.sp +++ b/nist_800_53_rev_5/mp.sp @@ -12,14 +12,14 @@ benchmark "nist_800_53_rev_5_mp_2" { title = "Media Access (MP-2)" description = "Restrict access to [Assignment: organization-defined types of digital and/or non-digital media] to [Assignment: organization-defined personnel or roles]." children = [ - control.ec2_instance_uses_imdsv2, - control.iam_group_user_role_no_inline_policies, - control.ec2_instance_in_vpc, control.dms_replication_instance_not_publicly_accessible, control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_in_vpc, control.ec2_instance_not_publicly_accessible, - control.es_domain_in_vpc, + control.ec2_instance_uses_imdsv2, control.emr_cluster_master_nodes_no_public_ip, + control.es_domain_in_vpc, + control.iam_group_user_role_no_inline_policies, control.iam_policy_no_star_star, control.iam_root_user_no_access_keys, control.iam_user_in_group, @@ -35,7 +35,7 @@ benchmark "nist_800_53_rev_5_mp_2" { control.s3_public_access_block_account, control.s3_public_access_block_bucket, control.sagemaker_notebook_instance_direct_internet_access_disabled, - control.vpc_subnet_auto_assign_public_ip_disabled, + control.vpc_subnet_auto_assign_public_ip_disabled ] tags = local.nist_800_53_rev_5_common_tags diff --git a/nist_800_53_rev_5/pm.sp b/nist_800_53_rev_5/pm.sp index b20ae648..de49ac2e 100644 --- a/nist_800_53_rev_5/pm.sp +++ b/nist_800_53_rev_5/pm.sp @@ -30,7 +30,7 @@ benchmark "nist_800_53_rev_5_pm_11_b" { control.cloudtrail_trail_validation_enabled, control.s3_bucket_default_encryption_enabled, control.s3_bucket_enforces_ssl, - control.s3_bucket_versioning_enabled, + control.s3_bucket_versioning_enabled ] tags = local.nist_800_53_rev_5_common_tags @@ -51,26 +51,26 @@ benchmark "nist_800_53_rev_5_pm_14_a_1" { title = "PM-14(a)(1)" description = "a. Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems: 1. Are developed and maintained;" children = [ - control.cloudwatch_log_group_retention_period_365, - control.lambda_function_concurrent_execution_limit_configured, - control.lambda_function_dead_letter_queue_configured, - control.cloudtrail_multi_region_trail_enabled, - control.rds_db_instance_and_cluster_enhanced_monitoring_enabled, - control.rds_db_instance_logging_enabled, - control.securityhub_enabled, - control.wafv2_web_acl_logging_enabled, control.apigateway_stage_logging_enabled, control.autoscaling_group_with_lb_use_health_check, - control.elastic_beanstalk_enhanced_health_reporting_enabled, - control.cloudtrail_trail_integrated_with_logs, - control.cloudtrail_trail_enabled, + control.cloudtrail_multi_region_trail_enabled, control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, control.cloudwatch_alarm_action_enabled, + control.cloudwatch_log_group_retention_period_365, + control.elastic_beanstalk_enhanced_health_reporting_enabled, control.elb_application_classic_lb_logging_enabled, control.guardduty_enabled, + control.lambda_function_concurrent_execution_limit_configured, + control.lambda_function_dead_letter_queue_configured, + control.rds_db_instance_and_cluster_enhanced_monitoring_enabled, + control.rds_db_instance_logging_enabled, control.redshift_cluster_encryption_logging_enabled, control.s3_bucket_logging_enabled, - control.vpc_flow_logs_enabled + control.securityhub_enabled, + control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled ] tags = local.nist_800_53_rev_5_common_tags @@ -80,26 +80,26 @@ benchmark "nist_800_53_rev_5_pm_14_b" { title = "PM-14(b)" description = "b. Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions." children = [ - control.cloudwatch_log_group_retention_period_365, - control.lambda_function_concurrent_execution_limit_configured, - control.lambda_function_dead_letter_queue_configured, - control.cloudtrail_multi_region_trail_enabled, - control.rds_db_instance_and_cluster_enhanced_monitoring_enabled, - control.rds_db_instance_logging_enabled, - control.securityhub_enabled, - control.wafv2_web_acl_logging_enabled, control.apigateway_stage_logging_enabled, control.autoscaling_group_with_lb_use_health_check, - control.elastic_beanstalk_enhanced_health_reporting_enabled, - control.cloudtrail_trail_integrated_with_logs, - control.cloudtrail_trail_enabled, + control.cloudtrail_multi_region_trail_enabled, control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, control.cloudwatch_alarm_action_enabled, + control.cloudwatch_log_group_retention_period_365, + control.elastic_beanstalk_enhanced_health_reporting_enabled, control.elb_application_classic_lb_logging_enabled, control.guardduty_enabled, + control.lambda_function_concurrent_execution_limit_configured, + control.lambda_function_dead_letter_queue_configured, + control.rds_db_instance_and_cluster_enhanced_monitoring_enabled, + control.rds_db_instance_logging_enabled, control.redshift_cluster_encryption_logging_enabled, control.s3_bucket_logging_enabled, - control.vpc_flow_logs_enabled + control.securityhub_enabled, + control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled ] tags = local.nist_800_53_rev_5_common_tags @@ -109,7 +109,7 @@ benchmark "nist_800_53_rev_5_pm_16" { title = "Threat Awareness Program (PM-16)" description = "Implement a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence." children = [ - control.guardduty_enabled, + control.guardduty_enabled ] tags = merge(local.nist_800_53_rev_5_common_tags, { @@ -121,7 +121,7 @@ benchmark "nist_800_53_rev_5_pm_17" { title = "Protecting Controlled Unclassified Information On External Systems (PM-17)" description = "a. Establish policy and procedures to ensure that requirements for the protection of controlled unclassified information that is processed, stored or transmitted on external systems, are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards; and b. Review and update the policy and procedures [Assignment: organization-defined frequency]." children = [ - benchmark.nist_800_53_rev_5_pm_17_b, + benchmark.nist_800_53_rev_5_pm_17_b ] tags = local.nist_800_53_rev_5_common_tags @@ -131,12 +131,12 @@ benchmark "nist_800_53_rev_5_pm_17_b" { title = "PM-17(b)" description = "b. Review and update the policy and procedures [Assignment: organization-defined frequency]." children = [ - control.es_domain_node_to_node_encryption_enabled, - control.elb_classic_lb_use_tls_https_listeners, - control.elb_application_lb_redirect_http_request_to_https, control.apigateway_rest_api_stage_use_ssl_certificate, control.cloudtrail_trail_validation_enabled, + control.elb_application_lb_redirect_http_request_to_https, control.elb_classic_lb_use_ssl_certificate, + control.elb_classic_lb_use_tls_https_listeners, + control.es_domain_node_to_node_encryption_enabled, control.redshift_cluster_encryption_in_transit_enabled, control.s3_bucket_enforces_ssl, control.s3_bucket_versioning_enabled @@ -173,26 +173,26 @@ benchmark "nist_800_53_rev_5_pm_31" { title = "Continuous Monitoring Strategy (PM-31)" description = "Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: a. Establishing the following organization-wide metrics to be monitored: [Assignment: organization-defined metrics]; b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; c. Ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy; d. Correlation and analysis of information generated by control assessments and monitoring; e. Response actions to address results of the analysis of control assessment and monitoring information; and f. Reporting the security and privacy status of organizational systems to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]." children = [ - control.cloudwatch_log_group_retention_period_365, - control.lambda_function_concurrent_execution_limit_configured, - control.lambda_function_dead_letter_queue_configured, - control.cloudtrail_multi_region_trail_enabled, - control.rds_db_instance_and_cluster_enhanced_monitoring_enabled, - control.rds_db_instance_logging_enabled, - control.securityhub_enabled, - control.wafv2_web_acl_logging_enabled, control.apigateway_stage_logging_enabled, control.autoscaling_group_with_lb_use_health_check, - control.elastic_beanstalk_enhanced_health_reporting_enabled, - control.cloudtrail_trail_integrated_with_logs, - control.cloudtrail_trail_enabled, + control.cloudtrail_multi_region_trail_enabled, control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, control.cloudwatch_alarm_action_enabled, + control.cloudwatch_log_group_retention_period_365, + control.elastic_beanstalk_enhanced_health_reporting_enabled, control.elb_application_classic_lb_logging_enabled, control.guardduty_enabled, + control.lambda_function_concurrent_execution_limit_configured, + control.lambda_function_dead_letter_queue_configured, + control.rds_db_instance_and_cluster_enhanced_monitoring_enabled, + control.rds_db_instance_logging_enabled, control.redshift_cluster_encryption_logging_enabled, control.s3_bucket_logging_enabled, - control.vpc_flow_logs_enabled + control.securityhub_enabled, + control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled ] tags = local.nist_800_53_rev_5_common_tags diff --git a/nist_800_53_rev_5/ra.sp b/nist_800_53_rev_5/ra.sp index 0ee63ecf..ffdaef75 100644 --- a/nist_800_53_rev_5/ra.sp +++ b/nist_800_53_rev_5/ra.sp @@ -27,9 +27,9 @@ benchmark "nist_800_53_rev_5_ra_1_a" { title = "RA-1(a)" description = "a. Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems; and 2. Detect, track, and disrupt threats that evade existing controls;" children = [ - control.guardduty_enabled, benchmark.nist_800_53_rev_5_ra_1_a_1, - benchmark.nist_800_53_rev_5_ra_1_a_2 + benchmark.nist_800_53_rev_5_ra_1_a_2, + control.guardduty_enabled ] tags = merge(local.nist_800_53_rev_5_common_tags, { @@ -65,19 +65,8 @@ benchmark "nist_800_53_rev_5_ra_3" { title = "Risk Assessment (RA-3)" description = "Assess risks and magnitude of unauthorized system access, use, disclosure, disruption, modifications, or destruction." children = [ - benchmark.nist_800_53_rev_5_ra_3_a_1, - benchmark.nist_800_53_rev_5_ra_3_4 - ] - - tags = local.nist_800_53_rev_5_common_tags -} - -benchmark "nist_800_53_rev_5_ra_3_a_1" { - title = "RA-3(a)(1)" - description = "a. Conduct a risk assessment, including: 1. Identifying threats to and vulnerabilities in the system;" - children = [ - control.guardduty_enabled, - control.ssm_managed_instance_compliance_patch_compliant + benchmark.nist_800_53_rev_5_ra_3_4, + benchmark.nist_800_53_rev_5_ra_3_a_1 ] tags = local.nist_800_53_rev_5_common_tags @@ -95,13 +84,23 @@ benchmark "nist_800_53_rev_5_ra_3_4" { }) } +benchmark "nist_800_53_rev_5_ra_3_a_1" { + title = "RA-3(a)(1)" + description = "a. Conduct a risk assessment, including: 1. Identifying threats to and vulnerabilities in the system;" + children = [ + control.guardduty_enabled, + control.ssm_managed_instance_compliance_patch_compliant + ] + + tags = local.nist_800_53_rev_5_common_tags +} + benchmark "nist_800_53_rev_5_ra_5" { title = "Vulnerability Monitoring And Scanning (RA-5)" description = "Employ the following advanced automation and analytics capabilities to predict and identify risks to [Assignment: organization-defined systems or system components]: [Assignment: organization-defined advanced automation and analytics capabilities]." children = [ + benchmark.nist_800_53_rev_5_ra_5_4, benchmark.nist_800_53_rev_5_ra_5_a, - benchmark.nist_800_53_rev_5_ra_5_4 - ] tags = merge(local.nist_800_53_rev_5_common_tags, { diff --git a/nist_800_53_rev_5/sa.sp b/nist_800_53_rev_5/sa.sp index d5b79c29..95fe6760 100644 --- a/nist_800_53_rev_5/sa.sp +++ b/nist_800_53_rev_5/sa.sp @@ -60,7 +60,6 @@ benchmark "nist_800_53_rev_5_sa_9_6" { }) } - benchmark "nist_800_53_rev_5_sa_10" { title = "Developer Configuration Management (SA-10)" description = "The organization requires the developer of the information system, system component, or information system service to: a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation]; b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management]; c. Implement only organization-approved changes to the system, component, or service; d. Document approved changes to the system, component, or service and the potential security impacts of such changes; and e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel]." diff --git a/nist_800_53_rev_5/sc.sp b/nist_800_53_rev_5/sc.sp index 8bfccccd..e9acac18 100644 --- a/nist_800_53_rev_5/sc.sp +++ b/nist_800_53_rev_5/sc.sp @@ -24,40 +24,16 @@ benchmark "nist_800_53_rev_5_sc_5" { title = "Denial Of Service Protection (SC-5)" description = "The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or reference to source for such information] by employing [Assignment: organization-defined security safeguards]." children = [ - benchmark.nist_800_53_rev_5_sc_5_a, - benchmark.nist_800_53_rev_5_sc_5_b, benchmark.nist_800_53_rev_5_sc_5_1, benchmark.nist_800_53_rev_5_sc_5_2, - benchmark.nist_800_53_rev_5_sc_5_3 + benchmark.nist_800_53_rev_5_sc_5_3, + benchmark.nist_800_53_rev_5_sc_5_a, + benchmark.nist_800_53_rev_5_sc_5_b, ] tags = local.nist_800_53_rev_5_common_tags } -benchmark "nist_800_53_rev_5_sc_5_a" { - title = "SC-5(a)" - description = "a. [Selection: Protect against; Limit] the effects of the following types of denial-of-service events: [Assignment: organization-defined types of denial-of-service events];" - children = [ - control.guardduty_enabled - ] - - tags = merge(local.nist_800_53_rev_5_common_tags, { - service = "AWS/GuardDuty" - }) -} - -benchmark "nist_800_53_rev_5_sc_5_b" { - title = "SC-5(b)" - description = "b. Employ the following controls to achieve the denial-of-service objective: [Assignment: organization-defined controls by type of denial-of-service event]." - children = [ - control.guardduty_enabled - ] - - tags = merge(local.nist_800_53_rev_5_common_tags, { - service = "AWS/GuardDuty" - }) -} - benchmark "nist_800_53_rev_5_sc_5_1" { title = "SC-5(1) Restrict Ability TO Attack Other Systems" description = "Restrict the ability of individuals to launch the following denial-of-service attacks against other systems: [Assignment: organization-defined denial-of-service attacks]." @@ -74,24 +50,24 @@ benchmark "nist_800_53_rev_5_sc_5_2" { title = "SC-5(2) Capacity, Bandwidth, And Redundancy" description = "Manage capacity, bandwidth, or other redundancy to limit the effects of information flooding denial-of-service attacks." children = [ + control.dynamodb_table_auto_scaling_enabled, control.dynamodb_table_in_backup_plan, + control.dynamodb_table_point_in_time_recovery_enabled, control.ebs_volume_in_backup_plan, + control.ec2_instance_ebs_optimized, control.efs_file_system_in_backup_plan, + control.elasticache_redis_cluster_automatic_backup_retention_15_days, + control.elb_application_lb_deletion_protection_enabled, control.elb_classic_lb_cross_zone_load_balancing_enabled, + control.rds_db_instance_backup_enabled, control.rds_db_instance_deletion_protection_enabled, + control.rds_db_instance_multiple_az_enabled, control.rds_db_instance_protected_by_backup_plan, control.redshift_cluster_automatic_snapshots_min_7_days, - control.rds_db_instance_backup_enabled, - control.dynamodb_table_auto_scaling_enabled, - control.dynamodb_table_point_in_time_recovery_enabled, - control.ec2_instance_ebs_optimized, - control.elasticache_redis_cluster_automatic_backup_retention_15_days, - control.elb_application_lb_deletion_protection_enabled, - control.rds_db_instance_multiple_az_enabled, control.redshift_cluster_maintenance_settings_check, control.s3_bucket_cross_region_replication_enabled, control.s3_bucket_versioning_enabled, - control.vpc_vpn_tunnel_up + control.vpc_vpn_tunnel_up, ] tags = local.nist_800_53_rev_5_common_tags @@ -110,6 +86,30 @@ benchmark "nist_800_53_rev_5_sc_5_3" { }) } +benchmark "nist_800_53_rev_5_sc_5_a" { + title = "SC-5(a)" + description = "a. [Selection: Protect against; Limit] the effects of the following types of denial-of-service events: [Assignment: organization-defined types of denial-of-service events];" + children = [ + control.guardduty_enabled + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) +} + +benchmark "nist_800_53_rev_5_sc_5_b" { + title = "SC-5(b)" + description = "b. Employ the following controls to achieve the denial-of-service objective: [Assignment: organization-defined controls by type of denial-of-service event]." + children = [ + control.guardduty_enabled + ] + + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/GuardDuty" + }) +} + benchmark "nist_800_53_rev_5_sc_5_3_a" { title = "SC-5(3)(a)" description = "(a) Employ the following monitoring tools to detect indicators of denial-of-service attacks against, or launched from, the system: [Assignment: organization-defined monitoring tools];" @@ -138,11 +138,11 @@ benchmark "nist_800_53_rev_5_sc_6" { title = "Resource Availability (SC-6)" description = "Protect the availability of resources by allocating [Assignment: organization-defined resources] by [Selection (one or more): priority; quota; [Assignment: organization-defined controls]]." children = [ - control.elb_classic_lb_cross_zone_load_balancing_enabled, - control.lambda_function_concurrent_execution_limit_configured, control.autoscaling_group_with_lb_use_health_check, - control.elastic_beanstalk_enhanced_health_reporting_enabled, control.dynamodb_table_auto_scaling_enabled, + control.elastic_beanstalk_enhanced_health_reporting_enabled, + control.elb_classic_lb_cross_zone_load_balancing_enabled, + control.lambda_function_concurrent_execution_limit_configured, control.rds_db_instance_multiple_az_enabled, control.vpc_vpn_tunnel_up ] @@ -154,9 +154,6 @@ benchmark "nist_800_53_rev_5_sc_7" { title = "Boundary Protection (SC-7)" description = "The information system: a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture." children = [ - benchmark.nist_800_53_rev_5_sc_7_a, - benchmark.nist_800_53_rev_5_sc_7_b, - benchmark.nist_800_53_rev_5_sc_7_c, benchmark.nist_800_53_rev_5_sc_7_2, benchmark.nist_800_53_rev_5_sc_7_3, benchmark.nist_800_53_rev_5_sc_7_4, @@ -172,122 +169,36 @@ benchmark "nist_800_53_rev_5_sc_7" { benchmark.nist_800_53_rev_5_sc_7_25, benchmark.nist_800_53_rev_5_sc_7_26, benchmark.nist_800_53_rev_5_sc_7_27, - benchmark.nist_800_53_rev_5_sc_7_28 + benchmark.nist_800_53_rev_5_sc_7_28, + benchmark.nist_800_53_rev_5_sc_7_a, + benchmark.nist_800_53_rev_5_sc_7_b, + benchmark.nist_800_53_rev_5_sc_7_c ] tags = local.nist_800_53_rev_5_common_tags } -benchmark "nist_800_53_rev_5_sc_7_a" { - title = "SC-7(a)" - description = "a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system;" +benchmark "nist_800_53_rev_5_sc_7_2" { + title = "SC-7(2) Public Access" + description = "Provide the capability to dynamically isolate [Assignment: organization-defined system components] from other system components." children = [ - control.vpc_security_group_restrict_ingress_ssh_all, - control.ec2_instance_in_vpc, control.dms_replication_instance_not_publicly_accessible, control.ebs_snapshot_not_publicly_restorable, - control.ec2_instance_not_publicly_accessible, - control.es_domain_in_vpc, - control.emr_cluster_master_nodes_no_public_ip, - control.lambda_function_restrict_public_access, - control.lambda_function_in_vpc, - control.rds_db_instance_prohibit_public_access, - control.rds_db_snapshot_prohibit_public_access, - control.redshift_cluster_prohibit_public_access, - control.vpc_security_group_restrict_ingress_common_ports_all, - control.s3_public_access_block_account, - control.s3_public_access_block_bucket, - control.s3_bucket_restrict_public_read_access, - control.s3_bucket_restrict_public_write_access, - control.sagemaker_notebook_instance_direct_internet_access_disabled, - control.vpc_subnet_auto_assign_public_ip_disabled, - control.vpc_default_security_group_restricts_all_traffic, - control.vpc_security_group_restrict_ingress_tcp_udp_all, - ] - - tags = local.nist_800_53_rev_5_common_tags -} - -benchmark "nist_800_53_rev_5_sc_7_b" { - title = "SC-7(b)" - description = "b. Implement subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks;" - children = [ control.ec2_instance_in_vpc, - control.dms_replication_instance_not_publicly_accessible, - control.ebs_snapshot_not_publicly_restorable, control.ec2_instance_not_publicly_accessible, - control.redshift_cluster_enhanced_vpc_routing_enabled, - control.es_domain_in_vpc, control.emr_cluster_master_nodes_no_public_ip, - control.lambda_function_restrict_public_access, - control.lambda_function_in_vpc, - control.rds_db_instance_prohibit_public_access, - control.rds_db_snapshot_prohibit_public_access, - control.redshift_cluster_prohibit_public_access, - control.s3_public_access_block_account, - control.s3_public_access_block_bucket, - control.s3_bucket_restrict_public_read_access, - control.s3_bucket_restrict_public_write_access, - control.sagemaker_notebook_instance_direct_internet_access_disabled, - control.vpc_subnet_auto_assign_public_ip_disabled, - - ] - - tags = local.nist_800_53_rev_5_common_tags -} - -benchmark "nist_800_53_rev_5_sc_7_c" { - title = "SC-7(c)" - description = "c. Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture." - children = [ - control.vpc_security_group_restrict_ingress_ssh_all, - control.ec2_instance_in_vpc, - control.dms_replication_instance_not_publicly_accessible, - control.ebs_snapshot_not_publicly_restorable, - control.ec2_instance_not_publicly_accessible, control.es_domain_in_vpc, - control.emr_cluster_master_nodes_no_public_ip, - control.lambda_function_restrict_public_access, control.lambda_function_in_vpc, + control.lambda_function_restrict_public_access, control.rds_db_instance_prohibit_public_access, control.rds_db_snapshot_prohibit_public_access, control.redshift_cluster_prohibit_public_access, - control.vpc_security_group_restrict_ingress_common_ports_all, - control.s3_public_access_block_account, - control.s3_public_access_block_bucket, control.s3_bucket_restrict_public_read_access, control.s3_bucket_restrict_public_write_access, - control.sagemaker_notebook_instance_direct_internet_access_disabled, - control.vpc_subnet_auto_assign_public_ip_disabled, - control.vpc_default_security_group_restricts_all_traffic, - control.vpc_security_group_restrict_ingress_tcp_udp_all, - - ] - - tags = local.nist_800_53_rev_5_common_tags -} - -benchmark "nist_800_53_rev_5_sc_7_2" { - title = "SC-7(2) Public Access" - description = "Provide the capability to dynamically isolate [Assignment: organization-defined system components] from other system components." - children = [ - control.ec2_instance_in_vpc, - control.dms_replication_instance_not_publicly_accessible, - control.ebs_snapshot_not_publicly_restorable, - control.ec2_instance_not_publicly_accessible, - control.es_domain_in_vpc, - control.emr_cluster_master_nodes_no_public_ip, - control.lambda_function_restrict_public_access, - control.lambda_function_in_vpc, - control.rds_db_instance_prohibit_public_access, - control.rds_db_snapshot_prohibit_public_access, - control.redshift_cluster_prohibit_public_access, control.s3_public_access_block_account, control.s3_public_access_block_bucket, - control.s3_bucket_restrict_public_read_access, - control.s3_bucket_restrict_public_write_access, control.sagemaker_notebook_instance_direct_internet_access_disabled, - control.vpc_subnet_auto_assign_public_ip_disabled, + control.vpc_subnet_auto_assign_public_ip_disabled ] tags = local.nist_800_53_rev_5_common_tags @@ -298,14 +209,14 @@ benchmark "nist_800_53_rev_5_sc_7_3" { description = "Limit the number of external network connections to the system." children = [ control.autoscaling_launch_config_public_ip_disabled, - control.ec2_instance_in_vpc, control.dms_replication_instance_not_publicly_accessible, control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_in_vpc, control.ec2_instance_not_publicly_accessible, - control.es_domain_in_vpc, control.emr_cluster_master_nodes_no_public_ip, - control.lambda_function_restrict_public_access, + control.es_domain_in_vpc, control.lambda_function_in_vpc, + control.lambda_function_restrict_public_access, control.rds_db_instance_prohibit_public_access, control.rds_db_snapshot_prohibit_public_access, control.redshift_cluster_prohibit_public_access, @@ -314,7 +225,7 @@ benchmark "nist_800_53_rev_5_sc_7_3" { control.s3_public_access_block_account, control.s3_public_access_block_bucket, control.sagemaker_notebook_instance_direct_internet_access_disabled, - control.vpc_subnet_auto_assign_public_ip_disabled, + control.vpc_subnet_auto_assign_public_ip_disabled ] tags = local.nist_800_53_rev_5_common_tags @@ -335,11 +246,11 @@ benchmark "nist_800_53_rev_5_sc_7_4_b" { title = "SC-7(4)(b)" description = "(b) Establish a traffic flow policy for each managed interface;" children = [ - control.es_domain_node_to_node_encryption_enabled, - control.elb_classic_lb_use_tls_https_listeners, - control.elb_application_lb_redirect_http_request_to_https, control.apigateway_rest_api_stage_use_ssl_certificate, + control.elb_application_lb_redirect_http_request_to_https, control.elb_classic_lb_use_ssl_certificate, + control.elb_classic_lb_use_tls_https_listeners, + control.es_domain_node_to_node_encryption_enabled, control.redshift_cluster_encryption_in_transit_enabled, control.s3_bucket_enforces_ssl ] @@ -351,11 +262,11 @@ benchmark "nist_800_53_rev_5_sc_7_4_g" { title = "SC-7(4)(g)" description = "(g) Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks;" children = [ - control.es_domain_node_to_node_encryption_enabled, - control.elb_classic_lb_use_tls_https_listeners, - control.elb_application_lb_redirect_http_request_to_https, control.apigateway_rest_api_stage_use_ssl_certificate, + control.elb_application_lb_redirect_http_request_to_https, control.elb_classic_lb_use_ssl_certificate, + control.elb_classic_lb_use_tls_https_listeners, + control.es_domain_node_to_node_encryption_enabled, control.redshift_cluster_encryption_in_transit_enabled, control.s3_bucket_enforces_ssl ] @@ -367,13 +278,13 @@ benchmark "nist_800_53_rev_5_sc_7_5" { title = "SC-7(5) Deny By Default — Allow By Exception" description = "Deny network communications traffic by default and allow network communications traffic by exception [Selection (one or more): at managed interfaces; for [Assignment: organization-defined systems]]." children = [ - control.vpc_security_group_restrict_ingress_common_ports_all, - control.vpc_default_security_group_restricts_all_traffic, - control.vpc_security_group_restrict_ingress_tcp_udp_all, control.apigateway_rest_api_stage_use_ssl_certificate, control.elb_classic_lb_use_ssl_certificate, control.redshift_cluster_encryption_in_transit_enabled, - control.s3_bucket_enforces_ssl + control.s3_bucket_enforces_ssl, + control.vpc_default_security_group_restricts_all_traffic, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.vpc_security_group_restrict_ingress_tcp_udp_all ] tags = local.nist_800_53_rev_5_common_tags @@ -383,7 +294,6 @@ benchmark "nist_800_53_rev_5_sc_7_7" { title = "SC-7(7) Split Tunneling For Remote Devices" description = "Prevent split tunneling for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using [Assignment: organization-defined safeguards]." children = [ - control.vpc_security_group_restrict_ingress_ssh_all, control.dms_replication_instance_not_publicly_accessible, control.ebs_snapshot_not_publicly_restorable, control.ec2_instance_not_publicly_accessible, @@ -392,15 +302,16 @@ benchmark "nist_800_53_rev_5_sc_7_7" { control.rds_db_instance_prohibit_public_access, control.rds_db_snapshot_prohibit_public_access, control.redshift_cluster_prohibit_public_access, - control.vpc_security_group_restrict_ingress_common_ports_all, control.s3_bucket_restrict_public_read_access, control.s3_bucket_restrict_public_write_access, control.s3_public_access_block_account, control.s3_public_access_block_bucket, control.sagemaker_notebook_instance_direct_internet_access_disabled, - control.vpc_subnet_auto_assign_public_ip_disabled, control.vpc_default_security_group_restricts_all_traffic, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.vpc_security_group_restrict_ingress_ssh_all, control.vpc_security_group_restrict_ingress_tcp_udp_all, + control.vpc_subnet_auto_assign_public_ip_disabled, ] tags = local.nist_800_53_rev_5_common_tags @@ -421,14 +332,14 @@ benchmark "nist_800_53_rev_5_sc_7_9_a" { title = "SC-7(9)(a)" description = "(a) Detect and deny outgoing communications traffic posing a threat to external systems;" children = [ - control.ec2_instance_in_vpc, control.dms_replication_instance_not_publicly_accessible, control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_in_vpc, control.ec2_instance_not_publicly_accessible, - control.es_domain_in_vpc, control.emr_cluster_master_nodes_no_public_ip, - control.lambda_function_restrict_public_access, + control.es_domain_in_vpc, control.lambda_function_in_vpc, + control.lambda_function_restrict_public_access, control.rds_db_instance_prohibit_public_access, control.rds_db_snapshot_prohibit_public_access, control.redshift_cluster_prohibit_public_access, @@ -447,16 +358,16 @@ benchmark "nist_800_53_rev_5_sc_7_9_b" { title = "SC-7(9)(b)" description = "(b) Audit the identity of internal users associated with denied communications." children = [ - control.cloudtrail_multi_region_trail_enabled, - control.wafv2_web_acl_logging_enabled, control.apigateway_stage_logging_enabled, - control.cloudtrail_trail_integrated_with_logs, - control.cloudtrail_trail_enabled, + control.cloudtrail_multi_region_trail_enabled, control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, control.elb_application_classic_lb_logging_enabled, control.rds_db_instance_logging_enabled, control.redshift_cluster_encryption_logging_enabled, - control.s3_bucket_logging_enabled + control.s3_bucket_logging_enabled, + control.wafv2_web_acl_logging_enabled ] tags = local.nist_800_53_rev_5_common_tags @@ -466,27 +377,27 @@ benchmark "nist_800_53_rev_5_sc_7_11" { title = "SC-7(11) Restrict Incoming communications Traffic" description = "Only allow incoming communications from [Assignment: organization-defined authorized sources] to be routed to [Assignment: organization-defined authorized destinations]." children = [ - control.vpc_security_group_restrict_ingress_ssh_all, - control.ec2_instance_in_vpc, control.dms_replication_instance_not_publicly_accessible, control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_in_vpc, control.ec2_instance_not_publicly_accessible, - control.es_domain_in_vpc, control.emr_cluster_master_nodes_no_public_ip, - control.lambda_function_restrict_public_access, + control.es_domain_in_vpc, control.lambda_function_in_vpc, + control.lambda_function_restrict_public_access, control.rds_db_instance_prohibit_public_access, control.rds_db_snapshot_prohibit_public_access, control.redshift_cluster_prohibit_public_access, - control.vpc_security_group_restrict_ingress_common_ports_all, control.s3_bucket_restrict_public_read_access, control.s3_bucket_restrict_public_write_access, control.s3_public_access_block_account, control.s3_public_access_block_bucket, control.sagemaker_notebook_instance_direct_internet_access_disabled, - control.vpc_subnet_auto_assign_public_ip_disabled, control.vpc_default_security_group_restricts_all_traffic, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.vpc_security_group_restrict_ingress_ssh_all, control.vpc_security_group_restrict_ingress_tcp_udp_all, + control.vpc_subnet_auto_assign_public_ip_disabled ] tags = local.nist_800_53_rev_5_common_tags @@ -496,27 +407,27 @@ benchmark "nist_800_53_rev_5_sc_7_12" { title = "SC-7(12) Host-Based Protection" description = "Implement [Assignment: organization-defined host-based boundary protection mechanisms] at [Assignment: organization-defined system components]." children = [ - control.vpc_security_group_restrict_ingress_ssh_all, - control.ec2_instance_in_vpc, control.acm_certificate_expires_30_days, control.dms_replication_instance_not_publicly_accessible, control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_in_vpc, control.ec2_instance_not_publicly_accessible, - control.es_domain_in_vpc, control.emr_cluster_master_nodes_no_public_ip, - control.lambda_function_restrict_public_access, + control.es_domain_in_vpc, control.lambda_function_in_vpc, + control.lambda_function_restrict_public_access, control.rds_db_instance_prohibit_public_access, control.rds_db_snapshot_prohibit_public_access, control.redshift_cluster_prohibit_public_access, - control.vpc_security_group_restrict_ingress_common_ports_all, control.s3_bucket_restrict_public_read_access, control.s3_bucket_restrict_public_write_access, control.s3_public_access_block_account, control.sagemaker_notebook_instance_direct_internet_access_disabled, - control.vpc_subnet_auto_assign_public_ip_disabled, control.vpc_default_security_group_restricts_all_traffic, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.vpc_security_group_restrict_ingress_ssh_all, control.vpc_security_group_restrict_ingress_tcp_udp_all, + control.vpc_subnet_auto_assign_public_ip_disabled ] tags = local.nist_800_53_rev_5_common_tags @@ -526,27 +437,27 @@ benchmark "nist_800_53_rev_5_sc_7_16" { title = "SC-7(16) Prevent Discovery Of System Components" description = "Prevent the discovery of specific system components that represent a managed interface." children = [ - control.vpc_security_group_restrict_ingress_ssh_all, - control.ec2_instance_in_vpc, control.acm_certificate_expires_30_days, control.dms_replication_instance_not_publicly_accessible, control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_in_vpc, control.ec2_instance_not_publicly_accessible, - control.es_domain_in_vpc, control.emr_cluster_master_nodes_no_public_ip, - control.lambda_function_restrict_public_access, + control.es_domain_in_vpc, control.lambda_function_in_vpc, + control.lambda_function_restrict_public_access, control.rds_db_instance_prohibit_public_access, control.rds_db_snapshot_prohibit_public_access, control.redshift_cluster_prohibit_public_access, - control.vpc_security_group_restrict_ingress_common_ports_all, control.s3_bucket_restrict_public_read_access, control.s3_bucket_restrict_public_write_access, control.s3_public_access_block_account, control.sagemaker_notebook_instance_direct_internet_access_disabled, - control.vpc_subnet_auto_assign_public_ip_disabled, control.vpc_default_security_group_restricts_all_traffic, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.vpc_security_group_restrict_ingress_ssh_all, control.vpc_security_group_restrict_ingress_tcp_udp_all, + control.vpc_subnet_auto_assign_public_ip_disabled ] tags = local.nist_800_53_rev_5_common_tags @@ -556,23 +467,23 @@ benchmark "nist_800_53_rev_5_sc_7_20" { title = "SC-7(20) Prevent Discovery Of System Components" description = "Prevent the discovery of specific system components that represent a managed interface." children = [ - control.ec2_instance_in_vpc, control.dms_replication_instance_not_publicly_accessible, control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_in_vpc, control.ec2_instance_not_publicly_accessible, - control.es_domain_in_vpc, control.emr_cluster_master_nodes_no_public_ip, - control.lambda_function_restrict_public_access, + control.es_domain_in_vpc, control.lambda_function_in_vpc, + control.lambda_function_restrict_public_access, control.rds_db_instance_prohibit_public_access, control.rds_db_snapshot_prohibit_public_access, control.redshift_cluster_prohibit_public_access, - control.s3_public_access_block_account, - control.s3_public_access_block_bucket, control.s3_bucket_restrict_public_read_access, control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, control.sagemaker_notebook_instance_direct_internet_access_disabled, - control.vpc_subnet_auto_assign_public_ip_disabled, + control.vpc_subnet_auto_assign_public_ip_disabled ] tags = local.nist_800_53_rev_5_common_tags @@ -582,27 +493,27 @@ benchmark "nist_800_53_rev_5_sc_7_21" { title = "SC-7(21) Isolation Of System Components" description = "Employ boundary protection mechanisms to isolate [Assignment: organization-defined system components] supporting [Assignment: organization-defined missions and/or business functions]." children = [ - control.vpc_security_group_restrict_ingress_ssh_all, - control.ec2_instance_in_vpc, control.dms_replication_instance_not_publicly_accessible, control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_in_vpc, control.ec2_instance_not_publicly_accessible, - control.es_domain_in_vpc, control.emr_cluster_master_nodes_no_public_ip, + control.es_domain_in_vpc, control.lambda_function_in_vpc, control.lambda_function_restrict_public_access, control.rds_db_instance_prohibit_public_access, control.rds_db_snapshot_prohibit_public_access, control.redshift_cluster_prohibit_public_access, - control.vpc_security_group_restrict_ingress_common_ports_all, - control.s3_public_access_block_account, - control.s3_public_access_block_bucket, control.s3_bucket_restrict_public_read_access, control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, control.sagemaker_notebook_instance_direct_internet_access_disabled, - control.vpc_subnet_auto_assign_public_ip_disabled, control.vpc_default_security_group_restricts_all_traffic, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.vpc_security_group_restrict_ingress_ssh_all, control.vpc_security_group_restrict_ingress_tcp_udp_all, + control.vpc_subnet_auto_assign_public_ip_disabled ] tags = local.nist_800_53_rev_5_common_tags @@ -622,37 +533,114 @@ benchmark "nist_800_53_rev_5_sc_7_24_b" { title = "SC-7(24)(b)" description = "For systems that process personally identifiable information: (b) Monitor for permitted processing at the external interfaces to the system and at key internal boundaries within the system;" children = [ - control.vpc_security_group_restrict_ingress_ssh_all, - control.ec2_instance_in_vpc, control.dms_replication_instance_not_publicly_accessible, control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_in_vpc, control.ec2_instance_not_publicly_accessible, - control.es_domain_in_vpc, control.emr_cluster_master_nodes_no_public_ip, + control.es_domain_in_vpc, control.lambda_function_in_vpc, control.lambda_function_restrict_public_access, control.rds_db_instance_prohibit_public_access, control.rds_db_snapshot_prohibit_public_access, control.redshift_cluster_prohibit_public_access, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_default_security_group_restricts_all_traffic, control.vpc_security_group_restrict_ingress_common_ports_all, + control.vpc_security_group_restrict_ingress_ssh_all, + control.vpc_security_group_restrict_ingress_tcp_udp_all, + control.vpc_subnet_auto_assign_public_ip_disabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_7_25" { + title = "SC-7(25) Unclassified National Security System Connections" + description = "Prohibit the direct connection of [Assignment: organization-defined unclassified national security system] to an external network without the use of [Assignment: organization-defined boundary protection device]." + children = [ + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_not_publicly_accessible, + control.emr_cluster_master_nodes_no_public_ip, + control.lambda_function_restrict_public_access, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_default_security_group_restricts_all_traffic, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.vpc_security_group_restrict_ingress_ssh_all, + control.vpc_subnet_auto_assign_public_ip_disabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_7_26" { + title = "SC-7(26) Classified National Security System Connections" + description = "Prohibit the direct connection of a classified national security system to an external network without the use of [Assignment: organization-defined boundary protection device]." + children = [ + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_not_publicly_accessible, + control.emr_cluster_master_nodes_no_public_ip, + control.lambda_function_restrict_public_access, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, control.s3_public_access_block_account, control.s3_public_access_block_bucket, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_default_security_group_restricts_all_traffic, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.vpc_security_group_restrict_ingress_ssh_all, + control.vpc_subnet_auto_assign_public_ip_disabled + ] + + tags = local.nist_800_53_rev_5_common_tags +} + +benchmark "nist_800_53_rev_5_sc_7_27" { + title = "SC-7(27) Unclassified Non-National Security System Connections" + description = "Prohibit the direct connection of [Assignment: organization-defined unclassified non-national security system] to an external network without the use of [Assignment: organization-defined boundary protection device]." + children = [ + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_not_publicly_accessible, + control.emr_cluster_master_nodes_no_public_ip, + control.lambda_function_restrict_public_access, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, control.s3_bucket_restrict_public_read_access, control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, control.sagemaker_notebook_instance_direct_internet_access_disabled, - control.vpc_subnet_auto_assign_public_ip_disabled, control.vpc_default_security_group_restricts_all_traffic, - control.vpc_security_group_restrict_ingress_tcp_udp_all, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.vpc_security_group_restrict_ingress_ssh_all, + control.vpc_subnet_auto_assign_public_ip_disabled, ] tags = local.nist_800_53_rev_5_common_tags } -benchmark "nist_800_53_rev_5_sc_7_25" { - title = "SC-7(25) Unclassified National Security System Connections" - description = "Prohibit the direct connection of [Assignment: organization-defined unclassified national security system] to an external network without the use of [Assignment: organization-defined boundary protection device]." +benchmark "nist_800_53_rev_5_sc_7_28" { + title = "SC-7(28) Connections To Public Networks" + description = "Prohibit the direct connection of [Assignment: organization-defined system] to a public network." children = [ - control.vpc_security_group_restrict_ingress_ssh_all, control.dms_replication_instance_not_publicly_accessible, control.ebs_snapshot_not_publicly_restorable, control.ec2_instance_not_publicly_accessible, @@ -661,92 +649,102 @@ benchmark "nist_800_53_rev_5_sc_7_25" { control.rds_db_instance_prohibit_public_access, control.rds_db_snapshot_prohibit_public_access, control.redshift_cluster_prohibit_public_access, - control.vpc_security_group_restrict_ingress_common_ports_all, - control.s3_public_access_block_account, - control.s3_public_access_block_bucket, control.s3_bucket_restrict_public_read_access, control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, control.sagemaker_notebook_instance_direct_internet_access_disabled, - control.vpc_subnet_auto_assign_public_ip_disabled, control.vpc_default_security_group_restricts_all_traffic, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.vpc_security_group_restrict_ingress_ssh_all, + control.vpc_subnet_auto_assign_public_ip_disabled ] tags = local.nist_800_53_rev_5_common_tags } -benchmark "nist_800_53_rev_5_sc_7_26" { - title = "SC-7(26) Classified National Security System Connections" - description = "Prohibit the direct connection of a classified national security system to an external network without the use of [Assignment: organization-defined boundary protection device]." +benchmark "nist_800_53_rev_5_sc_7_a" { + title = "SC-7(a)" + description = "a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system;" children = [ - control.vpc_security_group_restrict_ingress_ssh_all, control.dms_replication_instance_not_publicly_accessible, control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_in_vpc, control.ec2_instance_not_publicly_accessible, control.emr_cluster_master_nodes_no_public_ip, + control.es_domain_in_vpc, + control.lambda_function_in_vpc, control.lambda_function_restrict_public_access, control.rds_db_instance_prohibit_public_access, control.rds_db_snapshot_prohibit_public_access, control.redshift_cluster_prohibit_public_access, - control.vpc_security_group_restrict_ingress_common_ports_all, - control.s3_public_access_block_account, - control.s3_public_access_block_bucket, control.s3_bucket_restrict_public_read_access, control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, control.sagemaker_notebook_instance_direct_internet_access_disabled, - control.vpc_subnet_auto_assign_public_ip_disabled, control.vpc_default_security_group_restricts_all_traffic, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.vpc_security_group_restrict_ingress_ssh_all, + control.vpc_security_group_restrict_ingress_tcp_udp_all, + control.vpc_subnet_auto_assign_public_ip_disabled ] tags = local.nist_800_53_rev_5_common_tags } -benchmark "nist_800_53_rev_5_sc_7_27" { - title = "SC-7(27) Unclassified Non-National Security System Connections" - description = "Prohibit the direct connection of [Assignment: organization-defined unclassified non-national security system] to an external network without the use of [Assignment: organization-defined boundary protection device]." +benchmark "nist_800_53_rev_5_sc_7_b" { + title = "SC-7(b)" + description = "b. Implement subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks;" children = [ - control.vpc_security_group_restrict_ingress_ssh_all, control.dms_replication_instance_not_publicly_accessible, control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_in_vpc, control.ec2_instance_not_publicly_accessible, control.emr_cluster_master_nodes_no_public_ip, + control.es_domain_in_vpc, + control.lambda_function_in_vpc, control.lambda_function_restrict_public_access, control.rds_db_instance_prohibit_public_access, control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_enhanced_vpc_routing_enabled, control.redshift_cluster_prohibit_public_access, - control.vpc_security_group_restrict_ingress_common_ports_all, - control.s3_public_access_block_account, - control.s3_public_access_block_bucket, control.s3_bucket_restrict_public_read_access, control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, control.sagemaker_notebook_instance_direct_internet_access_disabled, - control.vpc_subnet_auto_assign_public_ip_disabled, - control.vpc_default_security_group_restricts_all_traffic, + control.vpc_subnet_auto_assign_public_ip_disabled ] tags = local.nist_800_53_rev_5_common_tags } -benchmark "nist_800_53_rev_5_sc_7_28" { - title = "SC-7(28) Connections To Public Networks" - description = "Prohibit the direct connection of [Assignment: organization-defined system] to a public network." +benchmark "nist_800_53_rev_5_sc_7_c" { + title = "SC-7(c)" + description = "c. Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture." children = [ - control.vpc_security_group_restrict_ingress_ssh_all, control.dms_replication_instance_not_publicly_accessible, control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_in_vpc, control.ec2_instance_not_publicly_accessible, control.emr_cluster_master_nodes_no_public_ip, + control.es_domain_in_vpc, + control.lambda_function_in_vpc, control.lambda_function_restrict_public_access, control.rds_db_instance_prohibit_public_access, control.rds_db_snapshot_prohibit_public_access, control.redshift_cluster_prohibit_public_access, - control.vpc_security_group_restrict_ingress_common_ports_all, - control.s3_public_access_block_account, - control.s3_public_access_block_bucket, control.s3_bucket_restrict_public_read_access, control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, control.sagemaker_notebook_instance_direct_internet_access_disabled, - control.vpc_subnet_auto_assign_public_ip_disabled, control.vpc_default_security_group_restricts_all_traffic, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.vpc_security_group_restrict_ingress_ssh_all, + control.vpc_security_group_restrict_ingress_tcp_udp_all, + control.vpc_subnet_auto_assign_public_ip_disabled ] tags = local.nist_800_53_rev_5_common_tags @@ -758,13 +756,14 @@ benchmark "nist_800_53_rev_5_sc_8" { children = [ benchmark.nist_800_53_rev_5_sc_8_1, benchmark.nist_800_53_rev_5_sc_8_2, - benchmark.nist_800_53_rev_5_sc_8_3,benchmark.nist_800_53_rev_5_sc_8_4, + benchmark.nist_800_53_rev_5_sc_8_3, + benchmark.nist_800_53_rev_5_sc_8_4, benchmark.nist_800_53_rev_5_sc_8_5, - control.es_domain_node_to_node_encryption_enabled, - control.elb_classic_lb_use_tls_https_listeners, - control.elb_application_lb_redirect_http_request_to_https, control.apigateway_rest_api_stage_use_ssl_certificate, + control.elb_application_lb_redirect_http_request_to_https, control.elb_classic_lb_use_ssl_certificate, + control.elb_classic_lb_use_tls_https_listeners, + control.es_domain_node_to_node_encryption_enabled, control.redshift_cluster_encryption_in_transit_enabled, control.s3_bucket_enforces_ssl ] @@ -776,12 +775,12 @@ benchmark "nist_800_53_rev_5_sc_8_1" { title = "SC-8(1) Cryptographic Protection" description = "Implement cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission." children = [ - control.es_domain_node_to_node_encryption_enabled, - control.elb_application_network_lb_use_ssl_certificate, - control.elb_classic_lb_use_tls_https_listeners, - control.elb_application_lb_redirect_http_request_to_https, control.apigateway_rest_api_stage_use_ssl_certificate, + control.elb_application_lb_redirect_http_request_to_https, + control.elb_application_network_lb_use_ssl_certificate, control.elb_classic_lb_use_ssl_certificate, + control.elb_classic_lb_use_tls_https_listeners, + control.es_domain_node_to_node_encryption_enabled, control.redshift_cluster_encryption_in_transit_enabled, control.s3_bucket_enforces_ssl ] @@ -793,11 +792,11 @@ benchmark "nist_800_53_rev_5_sc_8_2" { title = "SC-8(2) Pre- And Post-Transmission Handling" description = "Maintain the [Selection (one or more): confidentiality; integrity] of information during preparation for transmission and during reception." children = [ - control.es_domain_node_to_node_encryption_enabled, - control.elb_classic_lb_use_tls_https_listeners, - control.elb_application_lb_redirect_http_request_to_https, control.apigateway_rest_api_stage_use_ssl_certificate, + control.elb_application_lb_redirect_http_request_to_https, control.elb_classic_lb_use_ssl_certificate, + control.elb_classic_lb_use_tls_https_listeners, + control.es_domain_node_to_node_encryption_enabled, control.redshift_cluster_encryption_in_transit_enabled, control.s3_bucket_enforces_ssl ] @@ -809,31 +808,31 @@ benchmark "nist_800_53_rev_5_sc_8_3" { title = "SC-8(3) Cryptographic Protection For Message Externals" description = "Implement cryptographic mechanisms to protect message externals unless otherwise protected by [Assignment: organization-defined alternative physical controls]." children = [ - control.dynamodb_table_encrypted_with_kms_cmk, - control.ec2_ebs_default_encryption_enabled, - control.es_domain_node_to_node_encryption_enabled, - control.elb_classic_lb_use_tls_https_listeners, - control.secretsmanager_secret_encrypted_with_kms_cmk, - control.rds_db_snapshot_encrypted_at_rest, - control.s3_bucket_default_encryption_enabled_kms, - control.sagemaker_notebook_instance_encryption_at_rest_enabled, - control.sns_topic_encrypted_at_rest, - control.elb_application_lb_redirect_http_request_to_https, - control.apigateway_stage_cache_encryption_at_rest_enabled, control.apigateway_rest_api_stage_use_ssl_certificate, + control.apigateway_stage_cache_encryption_at_rest_enabled, control.cloudtrail_trail_logs_encrypted_with_kms_cmk, - control.log_group_encryption_at_rest_enabled, + control.dynamodb_table_encrypted_with_kms_cmk, + control.ebs_attached_volume_encryption_enabled, + control.ec2_ebs_default_encryption_enabled, control.efs_file_system_encrypt_data_at_rest, - control.es_domain_encryption_at_rest_enabled, + control.elb_application_lb_redirect_http_request_to_https, control.elb_classic_lb_use_ssl_certificate, - control.ebs_attached_volume_encryption_enabled, + control.elb_classic_lb_use_tls_https_listeners, + control.es_domain_encryption_at_rest_enabled, + control.es_domain_node_to_node_encryption_enabled, + control.log_group_encryption_at_rest_enabled, control.rds_db_instance_encryption_at_rest_enabled, + control.rds_db_snapshot_encrypted_at_rest, + control.redshift_cluster_encryption_in_transit_enabled, control.redshift_cluster_encryption_logging_enabled, control.redshift_cluster_kms_enabled, - control.redshift_cluster_encryption_in_transit_enabled, - control.s3_bucket_enforces_ssl, + control.s3_bucket_default_encryption_enabled_kms, control.s3_bucket_default_encryption_enabled, - control.sagemaker_endpoint_configuration_encryption_at_rest_enabled + control.s3_bucket_enforces_ssl, + control.sagemaker_endpoint_configuration_encryption_at_rest_enabled, + control.sagemaker_notebook_instance_encryption_at_rest_enabled, + control.secretsmanager_secret_encrypted_with_kms_cmk, + control.sns_topic_encrypted_at_rest ] tags = local.nist_800_53_rev_5_common_tags @@ -843,31 +842,31 @@ benchmark "nist_800_53_rev_5_sc_8_4" { title = "SC-8(4) Conceal Or Ramdomize Communications" description = "Implement cryptographic mechanisms to conceal or randomize communication patterns unless otherwise protected by [Assignment: organization-defined alternative physical controls]." children = [ - control.dynamodb_table_encrypted_with_kms_cmk, - control.ec2_ebs_default_encryption_enabled, - control.es_domain_node_to_node_encryption_enabled, - control.elb_classic_lb_use_tls_https_listeners, - control.rds_db_snapshot_encrypted_at_rest, - control.secretsmanager_secret_encrypted_with_kms_cmk, - control.s3_bucket_default_encryption_enabled_kms, - control.sagemaker_notebook_instance_encryption_at_rest_enabled, - control.sns_topic_encrypted_at_rest, - control.elb_application_lb_redirect_http_request_to_https, - control.apigateway_stage_cache_encryption_at_rest_enabled, control.apigateway_rest_api_stage_use_ssl_certificate, + control.apigateway_stage_cache_encryption_at_rest_enabled, control.cloudtrail_trail_logs_encrypted_with_kms_cmk, - control.log_group_encryption_at_rest_enabled, + control.dynamodb_table_encrypted_with_kms_cmk, + control.ebs_attached_volume_encryption_enabled, + control.ec2_ebs_default_encryption_enabled, control.efs_file_system_encrypt_data_at_rest, - control.es_domain_encryption_at_rest_enabled, + control.elb_application_lb_redirect_http_request_to_https, control.elb_classic_lb_use_ssl_certificate, - control.ebs_attached_volume_encryption_enabled, + control.elb_classic_lb_use_tls_https_listeners, + control.es_domain_encryption_at_rest_enabled, + control.es_domain_node_to_node_encryption_enabled, + control.log_group_encryption_at_rest_enabled, control.rds_db_instance_encryption_at_rest_enabled, + control.rds_db_snapshot_encrypted_at_rest, + control.redshift_cluster_encryption_in_transit_enabled, control.redshift_cluster_encryption_logging_enabled, control.redshift_cluster_kms_enabled, - control.redshift_cluster_encryption_in_transit_enabled, + control.s3_bucket_default_encryption_enabled_kms, control.s3_bucket_default_encryption_enabled, control.s3_bucket_enforces_ssl, - control.sagemaker_endpoint_configuration_encryption_at_rest_enabled + control.sagemaker_endpoint_configuration_encryption_at_rest_enabled, + control.sagemaker_notebook_instance_encryption_at_rest_enabled, + control.secretsmanager_secret_encrypted_with_kms_cmk, + control.sns_topic_encrypted_at_rest ] tags = local.nist_800_53_rev_5_common_tags @@ -877,11 +876,11 @@ benchmark "nist_800_53_rev_5_sc_8_5" { title = "SC-8(5) Protected Distribution System" description = "Implement [Assignment: organization-defined protected distribution system] to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission." children = [ - control.es_domain_node_to_node_encryption_enabled, - control.elb_classic_lb_use_tls_https_listeners, - control.elb_application_lb_redirect_http_request_to_https, control.apigateway_rest_api_stage_use_ssl_certificate, + control.elb_application_lb_redirect_http_request_to_https, control.elb_classic_lb_use_ssl_certificate, + control.elb_classic_lb_use_tls_https_listeners, + control.es_domain_node_to_node_encryption_enabled, control.redshift_cluster_encryption_in_transit_enabled, control.s3_bucket_enforces_ssl ] @@ -893,10 +892,10 @@ benchmark "nist_800_53_rev_5_sc_12" { title = "Cryptographic Key Establishment And Management (SC-12)" description = "Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]." children = [ - control.kms_cmk_rotation_enabled, - control.kms_key_not_pending_deletion, benchmark.nist_800_53_rev_5_sc_12_2, - benchmark.nist_800_53_rev_5_sc_12_6 + benchmark.nist_800_53_rev_5_sc_12_6, + control.kms_cmk_rotation_enabled, + control.kms_key_not_pending_deletion ] tags = merge(local.nist_800_53_rev_5_common_tags, { @@ -944,31 +943,31 @@ benchmark "nist_800_53_rev_5_sc_13_a" { title = "SC-13(a)" description = "a. Determine the [Assignment: organization-defined cryptographic uses];" children = [ - control.dynamodb_table_encrypted_with_kms_cmk, - control.ec2_ebs_default_encryption_enabled, - control.es_domain_node_to_node_encryption_enabled, - control.secretsmanager_secret_encrypted_with_kms_cmk, - control.elb_classic_lb_use_tls_https_listeners, - control.rds_db_snapshot_encrypted_at_rest, - control.s3_bucket_default_encryption_enabled_kms, - control.sagemaker_notebook_instance_encryption_at_rest_enabled, - control.sns_topic_encrypted_at_rest, - control.elb_application_lb_redirect_http_request_to_https, - control.apigateway_stage_cache_encryption_at_rest_enabled, control.apigateway_rest_api_stage_use_ssl_certificate, + control.apigateway_stage_cache_encryption_at_rest_enabled, control.cloudtrail_trail_logs_encrypted_with_kms_cmk, - control.log_group_encryption_at_rest_enabled, + control.dynamodb_table_encrypted_with_kms_cmk, + control.ebs_attached_volume_encryption_enabled, + control.ec2_ebs_default_encryption_enabled, control.efs_file_system_encrypt_data_at_rest, - control.es_domain_encryption_at_rest_enabled, + control.elb_application_lb_redirect_http_request_to_https, control.elb_classic_lb_use_ssl_certificate, - control.ebs_attached_volume_encryption_enabled, + control.elb_classic_lb_use_tls_https_listeners, + control.es_domain_encryption_at_rest_enabled, + control.es_domain_node_to_node_encryption_enabled, + control.log_group_encryption_at_rest_enabled, control.rds_db_instance_encryption_at_rest_enabled, + control.rds_db_snapshot_encrypted_at_rest, + control.redshift_cluster_encryption_in_transit_enabled, control.redshift_cluster_encryption_logging_enabled, control.redshift_cluster_kms_enabled, - control.redshift_cluster_encryption_in_transit_enabled, - control.s3_bucket_enforces_ssl, + control.s3_bucket_default_encryption_enabled_kms, control.s3_bucket_default_encryption_enabled, - control.sagemaker_endpoint_configuration_encryption_at_rest_enabled + control.s3_bucket_enforces_ssl, + control.sagemaker_endpoint_configuration_encryption_at_rest_enabled, + control.sagemaker_notebook_instance_encryption_at_rest_enabled, + control.secretsmanager_secret_encrypted_with_kms_cmk, + control.sns_topic_encrypted_at_rest, ] tags = local.nist_800_53_rev_5_common_tags @@ -1001,10 +1000,10 @@ benchmark "nist_800_53_rev_5_sc_22" { title = "Architecture And Provisioning For Name/Address Resolution Service (SC-22)" description = "Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation." children = [ - control.elb_classic_lb_cross_zone_load_balancing_enabled, - control.rds_db_instance_deletion_protection_enabled, control.dynamodb_table_auto_scaling_enabled, control.elb_application_lb_deletion_protection_enabled, + control.elb_classic_lb_cross_zone_load_balancing_enabled, + control.rds_db_instance_deletion_protection_enabled, control.rds_db_instance_multiple_az_enabled, control.vpc_vpn_tunnel_up ] @@ -1016,16 +1015,15 @@ benchmark "nist_800_53_rev_5_sc_23" { title = "Session Authenticity (SC-23)" description = "Protect the authenticity of communications sessions." children = [ - control.es_domain_node_to_node_encryption_enabled, - control.elb_classic_lb_use_tls_https_listeners, - control.elb_application_lb_redirect_http_request_to_https, + benchmark.nist_800_53_rev_5_sc_23_3, + benchmark.nist_800_53_rev_5_sc_23_5, control.apigateway_rest_api_stage_use_ssl_certificate, + control.elb_application_lb_redirect_http_request_to_https, control.elb_classic_lb_use_ssl_certificate, + control.elb_classic_lb_use_tls_https_listeners, + control.es_domain_node_to_node_encryption_enabled, control.redshift_cluster_encryption_in_transit_enabled, - control.s3_bucket_enforces_ssl, - benchmark.nist_800_53_rev_5_sc_23_3, - benchmark.nist_800_53_rev_5_sc_23_5 - + control.s3_bucket_enforces_ssl ] tags = local.nist_800_53_rev_5_common_tags @@ -1036,21 +1034,21 @@ benchmark "nist_800_53_rev_5_sc_23_3" { description = "Generate a unique session identifier for each session with [Assignment: organization-defined randomness requirements] and recognize only session identifiers that are system-generated." children = [ control.ec2_instance_uses_imdsv2, - control.iam_group_user_role_no_inline_policies, - control.iam_user_access_key_age_90, control.iam_account_password_policy_min_length_14, - control.secretsmanager_secret_unused_90_day, + control.iam_group_user_role_no_inline_policies, control.iam_policy_no_star_star, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, control.iam_root_user_no_access_keys, + control.iam_user_access_key_age_90, + control.iam_user_console_access_mfa_enabled, control.iam_user_in_group, control.iam_user_mfa_enabled, control.iam_user_no_inline_attached_policies, control.iam_user_unused_credentials_90, - control.iam_user_console_access_mfa_enabled, - control.iam_root_user_hardware_mfa_enabled, - control.iam_root_user_mfa_enabled, control.secretsmanager_secret_automatic_rotation_enabled, control.secretsmanager_secret_rotated_as_scheduled, + control.secretsmanager_secret_unused_90_day ] tags = local.nist_800_53_rev_5_common_tags @@ -1060,8 +1058,8 @@ benchmark "nist_800_53_rev_5_sc_23_5" { title = "SC-23(5) Allowed Certificate Authorities" description = "Only allow the use of [Assignment: organization-defined certificate authorities] for verification of the establishment of protected sessions." children = [ - control.elb_classic_lb_use_ssl_certificate, - control.elb_application_network_lb_use_ssl_certificate + control.elb_application_network_lb_use_ssl_certificate, + control.elb_classic_lb_use_ssl_certificate ] tags = merge(local.nist_800_53_rev_5_common_tags, { @@ -1073,27 +1071,26 @@ benchmark "nist_800_53_rev_5_sc_25" { title = "Thin Nodes (SC-25)" description = "Employ minimal functionality and information storage on the following system components: [Assignment: organization-defined system components]." children = [ - control.ec2_instance_in_vpc, control.dms_replication_instance_not_publicly_accessible, control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_in_vpc, control.ec2_instance_not_publicly_accessible, - control.es_domain_in_vpc, control.emr_cluster_master_nodes_no_public_ip, + control.es_domain_in_vpc, control.iam_policy_no_star_star, control.iam_root_user_no_access_keys, control.iam_user_no_inline_attached_policies, - control.lambda_function_restrict_public_access, control.lambda_function_in_vpc, + control.lambda_function_restrict_public_access, control.rds_db_instance_prohibit_public_access, control.rds_db_snapshot_prohibit_public_access, control.redshift_cluster_prohibit_public_access, - control.s3_public_access_block_account, - control.s3_public_access_block_bucket, control.s3_bucket_restrict_public_read_access, control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.s3_public_access_block_bucket, control.sagemaker_notebook_instance_direct_internet_access_disabled, control.vpc_subnet_auto_assign_public_ip_disabled, - ] tags = local.nist_800_53_rev_5_common_tags @@ -1114,24 +1111,24 @@ benchmark "nist_800_53_rev_5_sc_28_1" { title = "SC-28(1) Cryptographic Protection" description = "Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on [Assignment: organization-defined system components or media]: [Assignment: organization-defined information]." children = [ - control.dynamodb_table_encrypted_with_kms_cmk, - control.ec2_ebs_default_encryption_enabled, - control.rds_db_snapshot_encrypted_at_rest, - control.secretsmanager_secret_encrypted_with_kms_cmk, - control.s3_bucket_default_encryption_enabled_kms, - control.sagemaker_notebook_instance_encryption_at_rest_enabled, - control.sns_topic_encrypted_at_rest, control.apigateway_stage_cache_encryption_at_rest_enabled, control.cloudtrail_trail_logs_encrypted_with_kms_cmk, - control.log_group_encryption_at_rest_enabled, + control.dynamodb_table_encrypted_with_kms_cmk, + control.ebs_attached_volume_encryption_enabled, + control.ec2_ebs_default_encryption_enabled, control.efs_file_system_encrypt_data_at_rest, control.es_domain_encryption_at_rest_enabled, - control.ebs_attached_volume_encryption_enabled, + control.log_group_encryption_at_rest_enabled, control.rds_db_instance_encryption_at_rest_enabled, + control.rds_db_snapshot_encrypted_at_rest, control.redshift_cluster_encryption_logging_enabled, control.redshift_cluster_kms_enabled, + control.s3_bucket_default_encryption_enabled_kms, control.s3_bucket_default_encryption_enabled, - control.sagemaker_endpoint_configuration_encryption_at_rest_enabled + control.sagemaker_endpoint_configuration_encryption_at_rest_enabled, + control.sagemaker_notebook_instance_encryption_at_rest_enabled, + control.secretsmanager_secret_encrypted_with_kms_cmk, + control.sns_topic_encrypted_at_rest, ] tags = local.nist_800_53_rev_5_common_tags @@ -1153,11 +1150,11 @@ benchmark "nist_800_53_rev_5_sc_36" { title = "Distributed Processing And Storage (SC-36)" description = "Distribute the following processing and storage components across multiple [Selection: physical locations; logical domains]: [Assignment: organization-defined processing and storage components]." children = [ - control.elb_classic_lb_cross_zone_load_balancing_enabled, + benchmark.nist_800_53_rev_5_sc_36_1_a, control.dynamodb_table_auto_scaling_enabled, + control.elb_classic_lb_cross_zone_load_balancing_enabled, control.rds_db_instance_multiple_az_enabled, - control.vpc_vpn_tunnel_up, - benchmark.nist_800_53_rev_5_sc_36_1_a + control.vpc_vpn_tunnel_up ] tags = local.nist_800_53_rev_5_common_tags @@ -1167,11 +1164,11 @@ benchmark "nist_800_53_rev_5_sc_36_1_a" { title = "SC-36(1)(a)" description = "(a) Employ polling techniques to identify potential faults, errors, or compromises to the following processing and storage components: [Assignment: organization-defined distributed processing and storage components];" children = [ - control.lambda_function_dead_letter_queue_configured, - control.rds_db_instance_and_cluster_enhanced_monitoring_enabled, control.autoscaling_group_with_lb_use_health_check, - control.elastic_beanstalk_enhanced_health_reporting_enabled, control.cloudwatch_alarm_action_enabled, + control.elastic_beanstalk_enhanced_health_reporting_enabled, + control.lambda_function_dead_letter_queue_configured, + control.rds_db_instance_and_cluster_enhanced_monitoring_enabled ] tags = local.nist_800_53_rev_5_common_tags diff --git a/nist_800_53_rev_5/si.sp b/nist_800_53_rev_5/si.sp index 3073d83b..bfe5a0e5 100644 --- a/nist_800_53_rev_5/si.sp +++ b/nist_800_53_rev_5/si.sp @@ -21,9 +21,9 @@ benchmark "nist_800_53_rev_5_si_1" { title = "Policy And Procedures (SI-1)" description = "a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] system and information integrity policy that: a). Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b). Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls; b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and c. Review and update the current system and information integrity: 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]." children = [ + benchmark.nist_800_53_rev_5_si_1_1_c, benchmark.nist_800_53_rev_5_si_1_a_2, benchmark.nist_800_53_rev_5_si_1_c_2, - benchmark.nist_800_53_rev_5_si_1_1_c ] tags = local.nist_800_53_rev_5_common_tags @@ -33,15 +33,15 @@ benchmark "nist_800_53_rev_5_si_1_a_2" { title = "SI-1(a)(2)" description = "a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 2. Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls;." children = [ - control.es_domain_node_to_node_encryption_enabled, - control.elb_classic_lb_use_tls_https_listeners, - control.elb_application_lb_redirect_http_request_to_https, control.apigateway_rest_api_stage_use_ssl_certificate, control.cloudtrail_trail_validation_enabled, + control.elb_application_lb_redirect_http_request_to_https, control.elb_classic_lb_use_ssl_certificate, + control.elb_classic_lb_use_tls_https_listeners, + control.es_domain_node_to_node_encryption_enabled, control.redshift_cluster_encryption_in_transit_enabled, control.s3_bucket_enforces_ssl, - control.s3_bucket_versioning_enabled, + control.s3_bucket_versioning_enabled ] tags = local.nist_800_53_rev_5_common_tags @@ -51,15 +51,15 @@ benchmark "nist_800_53_rev_5_si_1_c_2" { title = "SI-1(c)(2)" description = "c. Review and update the current system and information integrity: 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]." children = [ - control.es_domain_node_to_node_encryption_enabled, - control.elb_classic_lb_use_tls_https_listeners, - control.elb_application_lb_redirect_http_request_to_https, control.apigateway_rest_api_stage_use_ssl_certificate, control.cloudtrail_trail_validation_enabled, + control.elb_application_lb_redirect_http_request_to_https, control.elb_classic_lb_use_ssl_certificate, + control.elb_classic_lb_use_tls_https_listeners, + control.es_domain_node_to_node_encryption_enabled, control.redshift_cluster_encryption_in_transit_enabled, control.s3_bucket_enforces_ssl, - control.s3_bucket_versioning_enabled, + control.s3_bucket_versioning_enabled ] tags = local.nist_800_53_rev_5_common_tags @@ -70,12 +70,12 @@ benchmark "nist_800_53_rev_5_si_1_1_c" { description = "c(c) Audit the use of the manual override capability." children = [ control.cloudtrail_multi_region_trail_enabled, - control.cloudtrail_trail_integrated_with_logs, - control.cloudtrail_trail_enabled, control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, control.rds_db_instance_logging_enabled, control.redshift_cluster_encryption_logging_enabled, - control.s3_bucket_logging_enabled, + control.s3_bucket_logging_enabled ] tags = local.nist_800_53_rev_5_common_tags @@ -85,73 +85,73 @@ benchmark "nist_800_53_rev_5_si_2" { title = "Flaw Remediation (SI-2)" description = "The organization: a.Identifies, reports, and corrects information system flaws; b.Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation; c.Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and d.Incorporates flaw remediation into the organizational configuration management process." children = [ + benchmark.nist_800_53_rev_5_si_2_2, + benchmark.nist_800_53_rev_5_si_2_5, benchmark.nist_800_53_rev_5_si_2_a, benchmark.nist_800_53_rev_5_si_2_c, benchmark.nist_800_53_rev_5_si_2_d, - benchmark.nist_800_53_rev_5_si_2_2, - benchmark.nist_800_53_rev_5_si_2_5 ] tags = local.nist_800_53_rev_5_common_tags } -benchmark "nist_800_53_rev_5_si_2_a" { - title = "SI-2(a)" - description = "a. Identify, report, and correct system flaws;" +benchmark "nist_800_53_rev_5_si_2_5" { + title = "SI-2(5) Automatic Software And Firmware Updated" + description = "Install [Assignment: organization-defined security-relevant software and firmware updates] automatically to [Assignment: organization-defined system components]." children = [ - control.lambda_function_dead_letter_queue_configured, - control.rds_db_instance_and_cluster_enhanced_monitoring_enabled, - control.autoscaling_group_with_lb_use_health_check, control.elastic_beanstalk_enhanced_health_reporting_enabled, - control.cloudwatch_alarm_action_enabled + control.redshift_cluster_maintenance_settings_check, + control.ssm_managed_instance_compliance_patch_compliant, ] tags = local.nist_800_53_rev_5_common_tags } -benchmark "nist_800_53_rev_5_si_2_c" { - title = "SI-2(c)" - description = "c. Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates;" +benchmark "nist_800_53_rev_5_si_2_2" { + title = "SI-2(2) Automated Flaw RemediationN Status" + description = "Determine if system components have applicable security-relevant software and firmware updates installed using [Assignment: organization-defined automated mechanisms] [Assignment: organization-defined frequency]." children = [ - control.ssm_managed_instance_compliance_patch_compliant, control.elastic_beanstalk_enhanced_health_reporting_enabled, control.redshift_cluster_maintenance_settings_check, + control.ssm_managed_instance_compliance_patch_compliant, ] tags = local.nist_800_53_rev_5_common_tags } -benchmark "nist_800_53_rev_5_si_2_d" { - title = "SI-2(d)" - description = "d. Incorporate flaw remediation into the organizational configuration management process." +benchmark "nist_800_53_rev_5_si_2_a" { + title = "SI-2(a)" + description = "a. Identify, report, and correct system flaws;" children = [ - control.ssm_managed_instance_compliance_patch_compliant, + control.autoscaling_group_with_lb_use_health_check, + control.cloudwatch_alarm_action_enabled, control.elastic_beanstalk_enhanced_health_reporting_enabled, - control.redshift_cluster_maintenance_settings_check, + control.lambda_function_dead_letter_queue_configured, + control.rds_db_instance_and_cluster_enhanced_monitoring_enabled, ] tags = local.nist_800_53_rev_5_common_tags } -benchmark "nist_800_53_rev_5_si_2_2" { - title = "SI-2(2) Automated Flaw RemediationN Status" - description = "Determine if system components have applicable security-relevant software and firmware updates installed using [Assignment: organization-defined automated mechanisms] [Assignment: organization-defined frequency]." +benchmark "nist_800_53_rev_5_si_2_c" { + title = "SI-2(c)" + description = "c. Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates;" children = [ - control.ssm_managed_instance_compliance_patch_compliant, control.elastic_beanstalk_enhanced_health_reporting_enabled, control.redshift_cluster_maintenance_settings_check, + control.ssm_managed_instance_compliance_patch_compliant, ] tags = local.nist_800_53_rev_5_common_tags } -benchmark "nist_800_53_rev_5_si_2_5" { - title = "SI-2(5) Automatic Software And Firmware Updated" - description = "Install [Assignment: organization-defined security-relevant software and firmware updates] automatically to [Assignment: organization-defined system components]." +benchmark "nist_800_53_rev_5_si_2_d" { + title = "SI-2(d)" + description = "d. Incorporate flaw remediation into the organizational configuration management process." children = [ - control.ssm_managed_instance_compliance_patch_compliant, control.elastic_beanstalk_enhanced_health_reporting_enabled, control.redshift_cluster_maintenance_settings_check, + control.ssm_managed_instance_compliance_patch_compliant, ] tags = local.nist_800_53_rev_5_common_tags @@ -161,8 +161,8 @@ benchmark "nist_800_53_rev_5_si_3" { title = "Malicious Code Protection (SI-3)" description = "a. Implement [Selection (one or more): signature based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code; b. Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures; c. Configure malicious code protection mechanisms to: 1. Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more): endpoint; network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and 2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization-defined personnel or roles] in response to malicious code detection; and d. Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system." children = [ - benchmark.nist_800_53_rev_5_si_3_c_2, - benchmark.nist_800_53_rev_5_si_3_8 + benchmark.nist_800_53_rev_5_si_3_8, + benchmark.nist_800_53_rev_5_si_3_c_2 ] tags = local.nist_800_53_rev_5_common_tags @@ -174,15 +174,15 @@ benchmark "nist_800_53_rev_5_si_3_c_2" { children = [ control.ec2_instance_ssm_managed, control.ssm_managed_instance_compliance_association_compliant, - control.ssm_managed_instance_compliance_patch_compliant, + control.ssm_managed_instance_compliance_patch_compliant ] tags = local.nist_800_53_rev_5_common_tags } benchmark "nist_800_53_rev_5_si_3_8" { - title = "SI-3(8)" - description = "c. Configure malicious code protection mechanisms to: 2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization-defined personnel or roles] in response to malicious code detection;" + title = "SI-3(8) Detect Unauthorized Commands" + description = "a. Detect the following unauthorized operating system commands through the kernel application programming interface on [Assignment: organization-defined system hardware components]: [Assignment: organization-defined unauthorized operating system commands]; and b. [Selection (one or more): issue a warning; audit the command execution; prevent the execution of the command]." children = [ benchmark.nist_800_53_rev_5_si_3_8_a, benchmark.nist_800_53_rev_5_si_3_8_b @@ -206,9 +206,9 @@ benchmark "nist_800_53_rev_5_si_3_8_b" { description = "(b) [Selection (one or more): issue a warning; audit the command execution; prevent the execution of the command]." children = [ control.cloudtrail_multi_region_trail_enabled, - control.cloudtrail_trail_integrated_with_logs, - control.cloudtrail_trail_enabled, control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, control.rds_db_instance_logging_enabled, control.redshift_cluster_encryption_logging_enabled, control.s3_bucket_logging_enabled @@ -221,10 +221,6 @@ benchmark "nist_800_53_rev_5_si_4" { title = "System Monitoring (SI-4)" description = "The organization: a.Monitors the information system to detect: 1. Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and 2.Unauthorized local, network, and remote connections; b. Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods]; c. Deploys monitoring devices: 1. Strategically within the information system to collect organization-determined essential information; and 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization; d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion; e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and g. Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]." children = [ - benchmark.nist_800_53_rev_5_si_4_a, - benchmark.nist_800_53_rev_5_si_4_b, - benchmark.nist_800_53_rev_5_si_4_c, - benchmark.nist_800_53_rev_5_si_4_d, benchmark.nist_800_53_rev_5_si_4_1, benchmark.nist_800_53_rev_5_si_4_2, benchmark.nist_800_53_rev_5_si_4_3, @@ -236,7 +232,11 @@ benchmark "nist_800_53_rev_5_si_4" { benchmark.nist_800_53_rev_5_si_4_17, benchmark.nist_800_53_rev_5_si_4_20, benchmark.nist_800_53_rev_5_si_4_23, - benchmark.nist_800_53_rev_5_si_4_25 + benchmark.nist_800_53_rev_5_si_4_25, + benchmark.nist_800_53_rev_5_si_4_a, + benchmark.nist_800_53_rev_5_si_4_b, + benchmark.nist_800_53_rev_5_si_4_c, + benchmark.nist_800_53_rev_5_si_4_d, ] tags = local.nist_800_53_rev_5_common_tags @@ -246,9 +246,9 @@ benchmark "nist_800_53_rev_5_si_4_a" { title = "SI-4(a)" description = "a. Monitor the system to detect: 1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections;" children = [ - control.guardduty_enabled, benchmark.nist_800_53_rev_5_si_4_a_1, - benchmark.nist_800_53_rev_5_si_4_a_2 + benchmark.nist_800_53_rev_5_si_4_a_2, + control.guardduty_enabled ] tags = merge(local.nist_800_53_rev_5_common_tags, { @@ -272,7 +272,7 @@ benchmark "nist_800_53_rev_5_si_4_a_2" { title = "SI-4(a)(2)" description = "a. Monitor the system to detect: 2. Unauthorized local, network, and remote connections;" children = [ - control.guardduty_enabled, + control.guardduty_enabled ] tags = merge(local.nist_800_53_rev_5_common_tags, { @@ -284,7 +284,7 @@ benchmark "nist_800_53_rev_5_si_4_b" { title = "SI-4(b)" description = "b. Identify unauthorized use of the system through the following techniques and methods: [Assignment: organization-defined techniques and methods];" children = [ - control.guardduty_enabled, + control.guardduty_enabled ] tags = merge(local.nist_800_53_rev_5_common_tags, { @@ -384,7 +384,7 @@ benchmark "nist_800_53_rev_5_si_4_4_b" { title = "SI-4(4)(b)" description = "(b) Monitor inbound and outbound communications traffic [Assignment: organization-defined frequency] for [Assignment: organization-defined unusual or unauthorized activities or conditions]." children = [ - control.guardduty_enabled, + control.guardduty_enabled ] tags = merge(local.nist_800_53_rev_5_common_tags, { @@ -396,7 +396,7 @@ benchmark "nist_800_53_rev_5_si_4_10" { title = "SI-4(10) Visibility Of Encrypted Communications" description = "Make provisions so that [Assignment: organization-defined encrypted communications traffic] is visible to [Assignment: organization-defined system monitoring tools and mechanisms]." children = [ - control.guardduty_enabled, + control.guardduty_enabled ] tags = merge(local.nist_800_53_rev_5_common_tags, { @@ -452,18 +452,18 @@ benchmark "nist_800_53_rev_5_si_4_17" { title = "SI-4(17) Integrated Situational Awareness" description = "Correlate information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness." children = [ - control.cloudwatch_log_group_retention_period_365, - control.cloudtrail_multi_region_trail_enabled, - control.wafv2_web_acl_logging_enabled, control.apigateway_stage_logging_enabled, - control.cloudtrail_trail_integrated_with_logs, - control.cloudtrail_trail_enabled, + control.cloudtrail_multi_region_trail_enabled, control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudwatch_log_group_retention_period_365, control.elb_application_classic_lb_logging_enabled, control.rds_db_instance_logging_enabled, control.redshift_cluster_encryption_logging_enabled, control.s3_bucket_logging_enabled, - control.vpc_flow_logs_enabled + control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled ] tags = local.nist_800_53_rev_5_common_tags @@ -474,9 +474,9 @@ benchmark "nist_800_53_rev_5_si_4_20" { description = "Implement the following additional monitoring of privileged users: [Assignment: organization-defined additional monitoring]." children = [ control.cloudtrail_multi_region_trail_enabled, - control.cloudtrail_trail_integrated_with_logs, - control.cloudtrail_trail_enabled, control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, control.rds_db_instance_logging_enabled, control.redshift_cluster_encryption_logging_enabled, control.s3_bucket_logging_enabled @@ -511,8 +511,8 @@ benchmark "nist_800_53_rev_5_si_5" { title = "Secuity Alerts, Advisories, And Directives (SI-5)" description = "a. Receive system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis; b. Generate internal security alerts, advisories, and directives as deemed necessary; c. Disseminate security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and d. Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance." children = [ - benchmark.nist_800_53_rev_5_si_5_b, - benchmark.nist_800_53_rev_5_si_5_1 + benchmark.nist_800_53_rev_5_si_5_1, + benchmark.nist_800_53_rev_5_si_5_b ] tags = local.nist_800_53_rev_5_common_tags @@ -544,27 +544,16 @@ benchmark "nist_800_53_rev_5_si_7" { title = "Software, Firmware, and Information Integrity (SI-7)" description = "a. Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: [Assignment: organization-defined software, firmware, and information]; and b. Take the following actions when unauthorized changes to the software, firmware, and information are detected: [Assignment: organization-defined actions]." children = [ - benchmark.nist_800_53_rev_5_si_7_a, benchmark.nist_800_53_rev_5_si_7_1, benchmark.nist_800_53_rev_5_si_7_3, benchmark.nist_800_53_rev_5_si_7_7, benchmark.nist_800_53_rev_5_si_7_8, + benchmark.nist_800_53_rev_5_si_7_a ] tags = local.nist_800_53_rev_5_common_tags } -benchmark "nist_800_53_rev_5_si_7_a" { - title = "SI-7(a)" - description = "a. Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: [Assignment: organization-defined software, firmware, and information];" - children = [ - control.cloudtrail_trail_validation_enabled, - ] - tags = merge(local.nist_800_53_rev_5_common_tags, { - service = "AWS/CloudTrail" - }) -} - benchmark "nist_800_53_rev_5_si_7_1" { title = "SI-7(1) Integrity Checks" description = "Perform an integrity check of [Assignment: organization-defined software, firmware, and information] [Selection (one or more): at startup; at [Assignment: organization-defined transitional states or security-relevant events]; [Assignment: organization-defined frequency]]." @@ -621,6 +610,17 @@ benchmark "nist_800_53_rev_5_si_7_8" { tags = local.nist_800_53_rev_5_common_tags } +benchmark "nist_800_53_rev_5_si_7_a" { + title = "SI-7(a)" + description = "a. Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: [Assignment: organization-defined software, firmware, and information];" + children = [ + control.cloudtrail_trail_validation_enabled, + ] + tags = merge(local.nist_800_53_rev_5_common_tags, { + service = "AWS/CloudTrail" + }) +} + benchmark "nist_800_53_rev_5_si_10" { title = "Information Input Validation (SI-10)" description = "Check the validity of the following information inputs: [Assignment: organization-defined information inputs to the system]." @@ -646,9 +646,9 @@ benchmark "nist_800_53_rev_5_si_10_1_c" { description = "(c) Audit the use of the manual override capability." children = [ control.cloudtrail_multi_region_trail_enabled, - control.cloudtrail_trail_integrated_with_logs, - control.cloudtrail_trail_enabled, control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, control.rds_db_instance_logging_enabled, control.redshift_cluster_encryption_logging_enabled, control.s3_bucket_logging_enabled @@ -683,18 +683,18 @@ benchmark "nist_800_53_rev_5_si_13_5" { title = "SI-13(5) Failover Capability" description = "Provide [Selection: real-time; near real-time] [Assignment: organization-defined failover capability] for the system." children = [ + control.dynamodb_table_auto_scaling_enabled, control.dynamodb_table_in_backup_plan, + control.dynamodb_table_point_in_time_recovery_enabled, control.ebs_volume_in_backup_plan, control.efs_file_system_in_backup_plan, + control.elasticache_redis_cluster_automatic_backup_retention_15_days, control.elb_classic_lb_cross_zone_load_balancing_enabled, + control.rds_db_instance_backup_enabled, control.rds_db_instance_deletion_protection_enabled, + control.rds_db_instance_multiple_az_enabled, control.rds_db_instance_protected_by_backup_plan, control.redshift_cluster_automatic_snapshots_min_7_days, - control.rds_db_instance_backup_enabled, - control.dynamodb_table_auto_scaling_enabled, - control.dynamodb_table_point_in_time_recovery_enabled, - control.elasticache_redis_cluster_automatic_backup_retention_15_days, - control.rds_db_instance_multiple_az_enabled, control.s3_bucket_cross_region_replication_enabled, control.s3_bucket_versioning_enabled, control.vpc_vpn_tunnel_up @@ -718,26 +718,24 @@ benchmark "nist_800_53_rev_5_si_19_4" { title = "SI-19(4) Removal, Masking, Encryption, Hashing, Or Replacement Of Direct Identifiers" description = "Remove, mask, encrypt, hash, or replace direct identifiers in a dataset." children = [ - control.dynamodb_table_encrypted_with_kms_cmk, - control.ec2_ebs_default_encryption_enabled, - control.rds_db_snapshot_encrypted_at_rest, - control.secretsmanager_secret_encrypted_with_kms_cmk, - control.s3_bucket_default_encryption_enabled_kms, - control.sagemaker_notebook_instance_encryption_at_rest_enabled, control.apigateway_stage_cache_encryption_at_rest_enabled, control.cloudtrail_trail_logs_encrypted_with_kms_cmk, - control.log_group_encryption_at_rest_enabled, + control.dynamodb_table_encrypted_with_kms_cmk, + control.ebs_attached_volume_encryption_enabled, + control.ec2_ebs_default_encryption_enabled, control.efs_file_system_encrypt_data_at_rest, control.es_domain_encryption_at_rest_enabled, - control.ebs_attached_volume_encryption_enabled, + control.log_group_encryption_at_rest_enabled, control.rds_db_instance_encryption_at_rest_enabled, + control.rds_db_snapshot_encrypted_at_rest, control.redshift_cluster_encryption_logging_enabled, control.redshift_cluster_kms_enabled, + control.s3_bucket_default_encryption_enabled_kms, control.s3_bucket_default_encryption_enabled, - control.sagemaker_endpoint_configuration_encryption_at_rest_enabled + control.sagemaker_endpoint_configuration_encryption_at_rest_enabled, + control.sagemaker_notebook_instance_encryption_at_rest_enabled, + control.secretsmanager_secret_encrypted_with_kms_cmk ] tags = local.nist_800_53_rev_5_common_tags } - - From 3a5ac1319f8c34cd625bb991c1f884d66327b12c Mon Sep 17 00:00:00 2001 From: Khushboo Date: Tue, 31 May 2022 19:54:17 +0530 Subject: [PATCH 14/20] updated readme.md file --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 63f8b926..a811fb6e 100644 --- a/README.md +++ b/README.md @@ -17,6 +17,7 @@ Includes support for: * [HIPAA](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.hipaa) * [General Data Protection Regulation (GDPR)](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.gdpr) 🚀 New! * [NIST 800-53 Revision 4](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.nist_800_53_rev_4) +* [NIST 800-53 Revision 5](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.nist_800_53_rev_5) * [NIST Cybersecurity Framework (CSF)](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.nist_csf) * [PCI DSS v3.2.1](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.pci_v321) * [AWS Foundational Security Best Practices](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.foundational_security) From 796737354a5e2209034ec1e62e7469ad2fdf3dcc Mon Sep 17 00:00:00 2001 From: Khushboo Date: Wed, 1 Jun 2022 16:37:27 +0530 Subject: [PATCH 15/20] minor update --- query/ec2/ec2_instance_protected_by_backup_plan.sql | 2 +- query/ec2/ec2_stopped_instance_30_days.sql | 2 +- .../secretsmanager_secret_encrypted_with_kms_cmk.sql | 2 +- query/secretsmanager/secretsmanager_secret_unused_90_day.sql | 4 ++-- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/query/ec2/ec2_instance_protected_by_backup_plan.sql b/query/ec2/ec2_instance_protected_by_backup_plan.sql index 9b4743ad..3b94a875 100644 --- a/query/ec2/ec2_instance_protected_by_backup_plan.sql +++ b/query/ec2/ec2_instance_protected_by_backup_plan.sql @@ -22,4 +22,4 @@ select i.account_id from aws_ec2_instance as i - left join backup_protected_instance as b on i.arn = b.arn; + left join backup_protected_instance as b on i.arn = b.arn; \ No newline at end of file diff --git a/query/ec2/ec2_stopped_instance_30_days.sql b/query/ec2/ec2_stopped_instance_30_days.sql index a1ab9a69..0c3eaf12 100644 --- a/query/ec2/ec2_stopped_instance_30_days.sql +++ b/query/ec2/ec2_stopped_instance_30_days.sql @@ -14,4 +14,4 @@ select region, account_id from - aws_ec2_instance; + aws_ec2_instance; \ No newline at end of file diff --git a/query/secretsmanager/secretsmanager_secret_encrypted_with_kms_cmk.sql b/query/secretsmanager/secretsmanager_secret_encrypted_with_kms_cmk.sql index 28ae177b..d57a478e 100644 --- a/query/secretsmanager/secretsmanager_secret_encrypted_with_kms_cmk.sql +++ b/query/secretsmanager/secretsmanager_secret_encrypted_with_kms_cmk.sql @@ -14,7 +14,7 @@ select case when kms_key_id is null or kms_key_id = 'alias/aws/secretsmanager' - or k.alias @> '[{"AliasName":"alias/aws/secretsmanager"}]'then 'ok' + or k.alias @> '[{"AliasName":"alias/aws/secretsmanager"}]'then 'ok' else 'alarm' end as status, case diff --git a/query/secretsmanager/secretsmanager_secret_unused_90_day.sql b/query/secretsmanager/secretsmanager_secret_unused_90_day.sql index c7668e3f..7023c6ef 100644 --- a/query/secretsmanager/secretsmanager_secret_unused_90_day.sql +++ b/query/secretsmanager/secretsmanager_secret_unused_90_day.sql @@ -9,10 +9,10 @@ select case when last_accessed_date is null then title || ' never accessed.' else - title || ' last used ' || extract(day from current_timestamp - last_accessed_date) || ' day(s) ago.' + title || ' last used ' || extract(day from current_timestamp - last_accessed_date) || ' day(s) ago.' end as reason, -- Additional Dimensions region, account_id from - aws_secretsmanager_secret; + aws_secretsmanager_secret; \ No newline at end of file From b5b086b3d94a385def811e39351ad19eb64eb8ad Mon Sep 17 00:00:00 2001 From: Khushboo Date: Wed, 1 Jun 2022 20:19:50 +0530 Subject: [PATCH 16/20] update --- README.md | 4 +- conformance_pack/secretsmanager.sp | 2 +- nist_800_53_rev_5/ac.sp | 127 ++++++++++++++--------------- nist_800_53_rev_5/au.sp | 72 ++++++++-------- nist_800_53_rev_5/ca.sp | 8 +- nist_800_53_rev_5/cm.sp | 55 ++++++------- nist_800_53_rev_5/cp.sp | 45 +++++----- nist_800_53_rev_5/ia.sp | 38 ++++----- nist_800_53_rev_5/ir.sp | 2 +- nist_800_53_rev_5/ma.sp | 8 +- nist_800_53_rev_5/pe.sp | 4 +- nist_800_53_rev_5/pm.sp | 6 +- nist_800_53_rev_5/ra.sp | 38 ++++----- nist_800_53_rev_5/sa.sp | 2 +- nist_800_53_rev_5/sc.sp | 36 ++++---- nist_800_53_rev_5/si.sp | 82 +++++++++---------- 16 files changed, 262 insertions(+), 267 deletions(-) diff --git a/README.md b/README.md index a811fb6e..c3a9baac 100644 --- a/README.md +++ b/README.md @@ -15,9 +15,9 @@ Includes support for: * [FedRAMP Low Revision 4](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.fedramp_low_rev_4) * [FedRAMP Moderate Revision 4](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.fedramp_moderate_rev_4) * [HIPAA](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.hipaa) -* [General Data Protection Regulation (GDPR)](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.gdpr) 🚀 New! +* [General Data Protection Regulation (GDPR)](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.gdpr) * [NIST 800-53 Revision 4](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.nist_800_53_rev_4) -* [NIST 800-53 Revision 5](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.nist_800_53_rev_5) +* [NIST 800-53 Revision 5](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.nist_800_53_rev_5) 🚀 New! * [NIST Cybersecurity Framework (CSF)](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.nist_csf) * [PCI DSS v3.2.1](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.pci_v321) * [AWS Foundational Security Best Practices](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.foundational_security) diff --git a/conformance_pack/secretsmanager.sp b/conformance_pack/secretsmanager.sp index bbc36085..32dab652 100644 --- a/conformance_pack/secretsmanager.sp +++ b/conformance_pack/secretsmanager.sp @@ -11,8 +11,8 @@ control "secretsmanager_secret_automatic_rotation_enabled" { tags = merge(local.conformance_pack_secretsmanager_common_tags, { hipaa = "true" - nist_csf = "true" nist_800_53_rev_5 = "true" + nist_csf = "true" }) } diff --git a/nist_800_53_rev_5/ac.sp b/nist_800_53_rev_5/ac.sp index dba85a20..4041ec14 100644 --- a/nist_800_53_rev_5/ac.sp +++ b/nist_800_53_rev_5/ac.sp @@ -28,7 +28,7 @@ benchmark "nist_800_53_rev_5_ac_2" { benchmark.nist_800_53_rev_5_ac_2_d_1, benchmark.nist_800_53_rev_5_ac_2_g, benchmark.nist_800_53_rev_5_ac_2_i_2, - benchmark.nist_800_53_rev_5_ac_2_j, + benchmark.nist_800_53_rev_5_ac_2_j ] tags = local.nist_800_53_rev_5_common_tags @@ -52,7 +52,7 @@ benchmark "nist_800_53_rev_5_ac_2_1" { control.iam_user_unused_credentials_90, control.secretsmanager_secret_automatic_rotation_enabled, control.secretsmanager_secret_rotated_as_scheduled, - control.secretsmanager_secret_unused_90_day, + control.secretsmanager_secret_unused_90_day ] tags = local.nist_800_53_rev_5_common_tags @@ -67,7 +67,7 @@ benchmark "nist_800_53_rev_5_ac_2_3" { benchmark.nist_800_53_rev_5_ac_2_3_a, benchmark.nist_800_53_rev_5_ac_2_3_b, benchmark.nist_800_53_rev_5_ac_2_3_c, - benchmark.nist_800_53_rev_5_ac_2_3_d, + benchmark.nist_800_53_rev_5_ac_2_3_d ] tags = local.nist_800_53_rev_5_common_tags @@ -75,10 +75,10 @@ benchmark "nist_800_53_rev_5_ac_2_3" { benchmark "nist_800_53_rev_5_ac_2_3_a" { title = "AC-2(3)(a)" - description = "Disable accounts within [Assignment: organization-defined time period] when the accounts: (a) Have expired;" + description = "Disable accounts within [Assignment: organization-defined time period] when the accounts: (a) Have expired." children = [ - control.iam_user_unused_credentials_90, - control.iam_account_password_policy_min_length_14 + control.iam_account_password_policy_min_length_14, + control.iam_user_unused_credentials_90 ] tags = merge(local.nist_800_53_rev_5_common_tags, { @@ -88,10 +88,10 @@ benchmark "nist_800_53_rev_5_ac_2_3_a" { benchmark "nist_800_53_rev_5_ac_2_3_b" { title = "AC-2(3)(b)" - description = "Disable accounts within [Assignment: organization-defined time period] when the accounts: (b) Are no longer associated with a user or individual;" + description = "Disable accounts within [Assignment: organization-defined time period] when the accounts: (b) Are no longer associated with a user or individual." children = [ - control.iam_user_unused_credentials_90, - control.iam_account_password_policy_min_length_14 + control.iam_account_password_policy_min_length_14, + control.iam_user_unused_credentials_90 ] tags = merge(local.nist_800_53_rev_5_common_tags, { @@ -101,10 +101,10 @@ benchmark "nist_800_53_rev_5_ac_2_3_b" { benchmark "nist_800_53_rev_5_ac_2_3_c" { title = "AC-2(3)(c)" - description = "Disable accounts within [Assignment: organization-defined time period] when the accounts: (c) Are in violation of organizational policy;" + description = "Disable accounts within [Assignment: organization-defined time period] when the accounts: (c) Are in violation of organizational policy." children = [ - control.iam_user_unused_credentials_90, - control.iam_account_password_policy_min_length_14 + control.iam_account_password_policy_min_length_14, + control.iam_user_unused_credentials_90 ] tags = local.nist_800_53_rev_5_common_tags @@ -114,8 +114,8 @@ benchmark "nist_800_53_rev_5_ac_2_3_d" { title = "AC-2(3)(d)" description = "Disable accounts within [Assignment: organization-defined time period] when the accounts: (d) Have been inactive for [Assignment: organization-defined time period]." children = [ - control.iam_user_unused_credentials_90, - control.iam_account_password_policy_min_length_14 + control.iam_account_password_policy_min_length_14, + control.iam_user_unused_credentials_90 ] tags = merge(local.nist_800_53_rev_5_common_tags, { @@ -166,7 +166,7 @@ benchmark "nist_800_53_rev_5_ac_2_6" { control.s3_public_access_block_account, control.s3_public_access_block_bucket, control.sagemaker_notebook_instance_direct_internet_access_disabled, - control.vpc_subnet_auto_assign_public_ip_disabled, + control.vpc_subnet_auto_assign_public_ip_disabled ] tags = local.nist_800_53_rev_5_common_tags @@ -186,7 +186,7 @@ benchmark "nist_800_53_rev_5_ac_2_12_a" { title = "AC-2(12)(a)" description = "(a) Monitor system accounts for [Assignment: organization-defined atypical usage]." children = [ - control.guardduty_enabled, + control.guardduty_enabled ] tags = merge(local.nist_800_53_rev_5_common_tags, { @@ -237,7 +237,7 @@ benchmark "nist_800_53_rev_5_ac_2_j" { title = "AC-2(j)" description = "The organization: j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]." children = [ - control.iam_user_unused_credentials_90, + control.iam_user_unused_credentials_90 ] tags = merge(local.nist_800_53_rev_5_common_tags, { @@ -284,7 +284,7 @@ benchmark "nist_800_53_rev_5_ac_3" { control.s3_public_access_block_account, control.s3_public_access_block_bucket, control.sagemaker_notebook_instance_direct_internet_access_disabled, - control.vpc_subnet_auto_assign_public_ip_disabled, + control.vpc_subnet_auto_assign_public_ip_disabled ] tags = local.nist_800_53_rev_5_common_tags @@ -348,7 +348,6 @@ benchmark "nist_800_53_rev_5_ac_3_3" { control.secretsmanager_secret_automatic_rotation_enabled, control.secretsmanager_secret_rotated_as_scheduled, control.secretsmanager_secret_unused_90_day - ] tags = local.nist_800_53_rev_5_common_tags @@ -356,7 +355,7 @@ benchmark "nist_800_53_rev_5_ac_3_3" { benchmark "nist_800_53_rev_5_ac_3_3_a" { title = "AC-3(3)(a)" - description = "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (a) Is uniformly enforced across the covered subjects and objects within the system;" + description = "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (a) Is uniformly enforced across the covered subjects and objects within the system." children = [ control.ec2_instance_uses_imdsv2, control.iam_account_password_policy_min_length_14, @@ -374,7 +373,6 @@ benchmark "nist_800_53_rev_5_ac_3_3_a" { control.secretsmanager_secret_automatic_rotation_enabled, control.secretsmanager_secret_rotated_as_scheduled, control.secretsmanager_secret_unused_90_day - ] tags = local.nist_800_53_rev_5_common_tags @@ -400,7 +398,6 @@ benchmark "nist_800_53_rev_5_ac_3_3_b_1" { control.secretsmanager_secret_automatic_rotation_enabled, control.secretsmanager_secret_rotated_as_scheduled, control.secretsmanager_secret_unused_90_day - ] tags = local.nist_800_53_rev_5_common_tags @@ -408,7 +405,7 @@ benchmark "nist_800_53_rev_5_ac_3_3_b_1" { benchmark "nist_800_53_rev_5_ac_3_3_b_2" { title = "AC-3(3)(b)(2)" - description = "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (2) Granting its privileges to other subjects;" + description = "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (2) Granting its privileges to other subjects." children = [ control.ec2_instance_uses_imdsv2, control.iam_account_password_policy_min_length_14, @@ -458,7 +455,7 @@ benchmark "nist_800_53_rev_5_ac_3_3_b_3" { benchmark "nist_800_53_rev_5_ac_3_3_b_4" { title = "AC-3(3)(b)(4)" - description = "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (4) Choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects;" + description = "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (4) Choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects." children = [ control.ec2_instance_uses_imdsv2, control.iam_account_password_policy_min_length_14, @@ -475,7 +472,7 @@ benchmark "nist_800_53_rev_5_ac_3_3_b_4" { control.iam_user_unused_credentials_90, control.secretsmanager_secret_automatic_rotation_enabled, control.secretsmanager_secret_rotated_as_scheduled, - control.secretsmanager_secret_unused_90_day, + control.secretsmanager_secret_unused_90_day ] tags = local.nist_800_53_rev_5_common_tags @@ -483,7 +480,7 @@ benchmark "nist_800_53_rev_5_ac_3_3_b_4" { benchmark "nist_800_53_rev_5_ac_3_3_b_5" { title = "AC-3(3)(b)(5)" - description = "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (5) Changing the rules governing access;" + description = "Enforce [Assignment: organization-defined mandatory access policy] over the set of covered subjects and objects specified in the policy, and where the policy: (b) Specifies that a subject that has been granted access to information is constrained from doing any of the following; (5) Changing the rules governing access." children = [ control.ec2_instance_uses_imdsv2, control.iam_account_password_policy_min_length_14, @@ -500,7 +497,7 @@ benchmark "nist_800_53_rev_5_ac_3_3_b_5" { control.iam_user_unused_credentials_90, control.secretsmanager_secret_automatic_rotation_enabled, control.secretsmanager_secret_rotated_as_scheduled, - control.secretsmanager_secret_unused_90_day, + control.secretsmanager_secret_unused_90_day ] tags = local.nist_800_53_rev_5_common_tags @@ -588,7 +585,7 @@ benchmark "nist_800_53_rev_5_ac_3_4_a" { benchmark "nist_800_53_rev_5_ac_3_4_b" { title = "AC-3(4)(b)" - description = "Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (b) Grant its privileges to other subjects;" + description = "Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (b) Grant its privileges to other subjects." children = [ control.secretsmanager_secret_unused_90_day, control.secretsmanager_secret_rotated_as_scheduled, @@ -613,7 +610,7 @@ benchmark "nist_800_53_rev_5_ac_3_4_b" { benchmark "nist_800_53_rev_5_ac_3_4_c" { title = "AC-3(4)(c)" - description = "Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (c) Change security attributes on subjects, objects, the system, or the system’s components;" + description = "Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (c) Change security attributes on subjects, objects, the system, or the system’s components." children = [ control.ec2_instance_uses_imdsv2, control.iam_account_password_policy_min_length_14, @@ -630,7 +627,7 @@ benchmark "nist_800_53_rev_5_ac_3_4_c" { control.iam_user_unused_credentials_90, control.secretsmanager_secret_automatic_rotation_enabled, control.secretsmanager_secret_rotated_as_scheduled, - control.secretsmanager_secret_unused_90_day, + control.secretsmanager_secret_unused_90_day ] tags = local.nist_800_53_rev_5_common_tags @@ -638,7 +635,7 @@ benchmark "nist_800_53_rev_5_ac_3_4_c" { benchmark "nist_800_53_rev_5_ac_3_4_d" { title = "AC-3(4)(d)" - description = "Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (d) Choose the security attributes to be associated with newly created or revised objects;" + description = "Enforce [Assignment: organization-defined discretionary access policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: (d) Choose the security attributes to be associated with newly created or revised objects." children = [ control.ec2_instance_uses_imdsv2, control.iam_account_password_policy_min_length_14, @@ -655,7 +652,7 @@ benchmark "nist_800_53_rev_5_ac_3_4_d" { control.iam_user_unused_credentials_90, control.secretsmanager_secret_automatic_rotation_enabled, control.secretsmanager_secret_rotated_as_scheduled, - control.secretsmanager_secret_unused_90_day, + control.secretsmanager_secret_unused_90_day ] tags = local.nist_800_53_rev_5_common_tags @@ -680,7 +677,7 @@ benchmark "nist_800_53_rev_5_ac_3_4_e" { control.iam_user_unused_credentials_90, control.secretsmanager_secret_automatic_rotation_enabled, control.secretsmanager_secret_rotated_as_scheduled, - control.secretsmanager_secret_unused_90_day, + control.secretsmanager_secret_unused_90_day ] tags = local.nist_800_53_rev_5_common_tags @@ -713,7 +710,7 @@ benchmark "nist_800_53_rev_5_ac_3_7" { control.s3_public_access_block_account, control.s3_public_access_block_bucket, control.sagemaker_notebook_instance_direct_internet_access_disabled, - control.vpc_subnet_auto_assign_public_ip_disabled, + control.vpc_subnet_auto_assign_public_ip_disabled ] tags = local.nist_800_53_rev_5_common_tags @@ -738,7 +735,7 @@ benchmark "nist_800_53_rev_5_ac_3_8" { control.iam_user_unused_credentials_90, control.secretsmanager_secret_automatic_rotation_enabled, control.secretsmanager_secret_rotated_as_scheduled, - control.secretsmanager_secret_unused_90_day, + control.secretsmanager_secret_unused_90_day ] tags = local.nist_800_53_rev_5_common_tags @@ -773,7 +770,7 @@ benchmark "nist_800_53_rev_5_ac_3_12" { benchmark "nist_800_53_rev_5_ac_3_12_a" { title = "AC-3(12)(a)" - description = "(a) Require applications to assert, as part of the installation process, the access needed to the following system applications and functions: [Assignment: organization-defined system applications and functions];" + description = "(a) Require applications to assert, as part of the installation process, the access needed to the following system applications and functions: [Assignment: organization-defined system applications and functions]." children = [ control.ec2_instance_uses_imdsv2, control.iam_account_password_policy_min_length_14, @@ -790,7 +787,7 @@ benchmark "nist_800_53_rev_5_ac_3_12_a" { control.iam_user_unused_credentials_90, control.secretsmanager_secret_automatic_rotation_enabled, control.secretsmanager_secret_rotated_as_scheduled, - control.secretsmanager_secret_unused_90_day, + control.secretsmanager_secret_unused_90_day ] tags = local.nist_800_53_rev_5_common_tags @@ -827,7 +824,7 @@ benchmark "nist_800_53_rev_5_ac_3_13" { control.iam_user_unused_credentials_90, control.secretsmanager_secret_automatic_rotation_enabled, control.secretsmanager_secret_rotated_as_scheduled, - control.secretsmanager_secret_unused_90_day, + control.secretsmanager_secret_unused_90_day ] tags = local.nist_800_53_rev_5_common_tags @@ -835,7 +832,7 @@ benchmark "nist_800_53_rev_5_ac_3_13" { benchmark "nist_800_53_rev_5_ac_3_15" { title = "AC-3(15) Discretionary And Mandatory Access Control" - description = "a. Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy; and b. Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy" + description = "a. Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy; and b. Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy." children = [ benchmark.nist_800_53_rev_5_ac_3_15_a, benchmark.nist_800_53_rev_5_ac_3_15_b @@ -846,7 +843,7 @@ benchmark "nist_800_53_rev_5_ac_3_15" { benchmark "nist_800_53_rev_5_ac_3_15_a" { title = "AC-3(15)(a)" - description = "(a) Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy;" + description = "(a) Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy." children = [ control.ec2_instance_uses_imdsv2, control.iam_account_password_policy_min_length_14, @@ -863,7 +860,7 @@ benchmark "nist_800_53_rev_5_ac_3_15_a" { control.iam_user_unused_credentials_90, control.secretsmanager_secret_automatic_rotation_enabled, control.secretsmanager_secret_rotated_as_scheduled, - control.secretsmanager_secret_unused_90_day, + control.secretsmanager_secret_unused_90_day ] tags = local.nist_800_53_rev_5_common_tags @@ -888,7 +885,7 @@ benchmark "nist_800_53_rev_5_ac_3_15_b" { control.iam_user_unused_credentials_90, control.secretsmanager_secret_automatic_rotation_enabled, control.secretsmanager_secret_rotated_as_scheduled, - control.secretsmanager_secret_unused_90_day, + control.secretsmanager_secret_unused_90_day ] tags = local.nist_800_53_rev_5_common_tags @@ -989,21 +986,21 @@ benchmark "nist_800_53_rev_5_ac_4_28" { description = "When transferring information between different security domains, implement a linear content filter pipeline that is enforced with discretionary and mandatory access controls." children = [ control.ec2_instance_uses_imdsv2, - control.iam_group_user_role_no_inline_policies, - control.iam_user_access_key_age_90, control.iam_account_password_policy_min_length_14, + control.iam_group_user_role_no_inline_policies, control.iam_policy_no_star_star, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, control.iam_root_user_no_access_keys, + control.iam_user_access_key_age_90, + control.iam_user_console_access_mfa_enabled, control.iam_user_in_group, control.iam_user_mfa_enabled, - control.secretsmanager_secret_unused_90_day, control.iam_user_no_inline_attached_policies, control.iam_user_unused_credentials_90, - control.iam_user_console_access_mfa_enabled, - control.iam_root_user_hardware_mfa_enabled, - control.iam_root_user_mfa_enabled, control.secretsmanager_secret_automatic_rotation_enabled, control.secretsmanager_secret_rotated_as_scheduled, + control.secretsmanager_secret_unused_90_day ] tags = local.nist_800_53_rev_5_common_tags @@ -1021,11 +1018,11 @@ benchmark "nist_800_53_rev_5_ac_5" { benchmark "nist_800_53_rev_5_ac_5_b" { title = "AC-5(b)" - description = "b. Define system access authorizations to support separation of duties." + description = "Define system access authorizations to support separation of duties." children = [ control.ecs_task_definition_user_for_host_mode_check, control.iam_all_policy_no_service_wild_card, - control.iam_policy_no_star_star, + control.iam_policy_no_star_star ] tags = local.nist_800_53_rev_5_common_tags @@ -1035,10 +1032,10 @@ benchmark "nist_800_53_rev_5_ac_6" { title = "Least Privilege (AC-6)" description = "Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks." children = [ - benchmark.nist_800_53_rev_5_ac_6_10, benchmark.nist_800_53_rev_5_ac_6_2, benchmark.nist_800_53_rev_5_ac_6_3, benchmark.nist_800_53_rev_5_ac_6_9, + benchmark.nist_800_53_rev_5_ac_6_10, control.dms_replication_instance_not_publicly_accessible, control.ebs_snapshot_not_publicly_restorable, control.ec2_instance_in_vpc, @@ -1062,7 +1059,7 @@ benchmark "nist_800_53_rev_5_ac_6" { control.s3_public_access_block_account, control.s3_public_access_block_bucket, control.sagemaker_notebook_instance_direct_internet_access_disabled, - control.vpc_subnet_auto_assign_public_ip_disabled, + control.vpc_subnet_auto_assign_public_ip_disabled ] tags = local.nist_800_53_rev_5_common_tags @@ -1074,7 +1071,7 @@ benchmark "nist_800_53_rev_5_ac_6_2" { children = [ control.iam_all_policy_no_service_wild_card, control.iam_policy_no_star_star, - control.iam_root_user_no_access_keys, + control.iam_root_user_no_access_keys ] tags = merge(local.nist_800_53_rev_5_common_tags, { @@ -1158,13 +1155,13 @@ benchmark "nist_800_53_rev_5_ac_7_4" { benchmark "nist_800_53_rev_5_ac_7_4_a" { title = "AC-7(4)(a)" - description = "(a) Allow the use of [Assignment: organization-defined authentication factors] that are different from the primary authentication factors after the number of organization-defined consecutive invalid logon attempts have been exceeded;" + description = "(a) Allow the use of [Assignment: organization-defined authentication factors] that are different from the primary authentication factors after the number of organization-defined consecutive invalid logon attempts have been exceeded." children = [ control.iam_account_password_policy_min_length_14, control.iam_root_user_hardware_mfa_enabled, control.iam_root_user_mfa_enabled, control.iam_user_console_access_mfa_enabled, - control.iam_user_mfa_enabled, + control.iam_user_mfa_enabled ] tags = merge(local.nist_800_53_rev_5_common_tags, { @@ -1174,7 +1171,7 @@ benchmark "nist_800_53_rev_5_ac_7_4_a" { benchmark "nist_800_53_rev_5_ac_16" { title = "Security And Privacy Attributes (AC-16)" - description = "a. Provide the means to associate [Assignment: organization-defined types of security and privacy attributes] with [Assignment: organization-defined security and privacy attribute values] for information in storage, in process, and/or in transmission; b. Ensure that the attribute associations are made and retained with the information; c. Establish the following permitted security and privacy attributes from the attributes defined in AC-16a for [Assignment: organization-defined systems]: [Assignment: organization-defined security and privacy attributes];" + description = "a. Provide the means to associate [Assignment: organization-defined types of security and privacy attributes] with [Assignment: organization-defined security and privacy attribute values] for information in storage, in process, and/or in transmission; b. Ensure that the attribute associations are made and retained with the information; c. Establish the following permitted security and privacy attributes from the attributes defined in AC-16a for [Assignment: organization-defined systems]: [Assignment: organization-defined security and privacy attributes]." children = [ benchmark.nist_800_53_rev_5_ac_16_b ] @@ -1203,7 +1200,7 @@ benchmark "nist_800_53_rev_5_ac_17" { benchmark.nist_800_53_rev_5_ac_17_4, benchmark.nist_800_53_rev_5_ac_17_9, benchmark.nist_800_53_rev_5_ac_17_10, - benchmark.nist_800_53_rev_5_ac_17_b, + benchmark.nist_800_53_rev_5_ac_17_b ] tags = local.nist_800_53_rev_5_common_tags @@ -1263,7 +1260,7 @@ benchmark "nist_800_53_rev_5_ac_17_1" { control.vpc_security_group_restrict_ingress_common_ports_all, control.vpc_security_group_restrict_ingress_ssh_all, control.vpc_security_group_restrict_ingress_tcp_udp_all, - control.vpc_subnet_auto_assign_public_ip_disabled, + control.vpc_subnet_auto_assign_public_ip_disabled ] tags = local.nist_800_53_rev_5_common_tags @@ -1277,7 +1274,7 @@ benchmark "nist_800_53_rev_5_ac_17_2" { control.elb_application_lb_redirect_http_request_to_https, control.elb_classic_lb_use_ssl_certificate, control.elb_classic_lb_use_tls_https_listeners, - control.s3_bucket_enforces_ssl, + control.s3_bucket_enforces_ssl ] tags = local.nist_800_53_rev_5_common_tags @@ -1317,7 +1314,7 @@ benchmark "nist_800_53_rev_5_ac_17_4_a" { control.vpc_security_group_restrict_ingress_common_ports_all, control.vpc_security_group_restrict_ingress_tcp_udp_all, control.vpc_subnet_auto_assign_public_ip_disabled, - control.vpc_security_group_restrict_ingress_ssh_all, + control.vpc_security_group_restrict_ingress_ssh_all ] tags = local.nist_800_53_rev_5_common_tags @@ -1345,9 +1342,9 @@ benchmark "nist_800_53_rev_5_ac_17_9" { control.sagemaker_notebook_instance_direct_internet_access_disabled, control.vpc_default_security_group_restricts_all_traffic, control.vpc_security_group_restrict_ingress_common_ports_all, + control.vpc_security_group_restrict_ingress_ssh_all, control.vpc_security_group_restrict_ingress_tcp_udp_all, - control.vpc_subnet_auto_assign_public_ip_disabled, - control.vpc_security_group_restrict_ingress_ssh_all, + control.vpc_subnet_auto_assign_public_ip_disabled ] tags = local.nist_800_53_rev_5_common_tags @@ -1375,9 +1372,9 @@ benchmark "nist_800_53_rev_5_ac_17_10" { control.sagemaker_notebook_instance_direct_internet_access_disabled, control.vpc_default_security_group_restricts_all_traffic, control.vpc_security_group_restrict_ingress_common_ports_all, + control.vpc_security_group_restrict_ingress_ssh_all, control.vpc_security_group_restrict_ingress_tcp_udp_all, - control.vpc_subnet_auto_assign_public_ip_disabled, - control.vpc_security_group_restrict_ingress_ssh_all + control.vpc_subnet_auto_assign_public_ip_disabled ] tags = local.nist_800_53_rev_5_common_tags @@ -1403,7 +1400,7 @@ benchmark "nist_800_53_rev_5_ac_24" { control.iam_user_unused_credentials_90, control.secretsmanager_secret_automatic_rotation_enabled, control.secretsmanager_secret_rotated_as_scheduled, - control.secretsmanager_secret_unused_90_day, + control.secretsmanager_secret_unused_90_day ] tags = local.nist_800_53_rev_5_common_tags diff --git a/nist_800_53_rev_5/au.sp b/nist_800_53_rev_5/au.sp index 489becb6..12e8587f 100644 --- a/nist_800_53_rev_5/au.sp +++ b/nist_800_53_rev_5/au.sp @@ -32,7 +32,7 @@ benchmark "nist_800_53_rev_5_au_2" { benchmark "nist_800_53_rev_5_au_2_b" { title = "AU-2(b)" - description = "b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;" + description = "b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged." children = [ control.apigateway_stage_logging_enabled, control.cloudtrail_multi_region_trail_enabled, @@ -44,7 +44,7 @@ benchmark "nist_800_53_rev_5_au_2_b" { control.redshift_cluster_encryption_logging_enabled, control.s3_bucket_logging_enabled, control.vpc_flow_logs_enabled, - control.wafv2_web_acl_logging_enabled, + control.wafv2_web_acl_logging_enabled ] tags = local.nist_800_53_rev_5_common_tags @@ -68,7 +68,7 @@ benchmark "nist_800_53_rev_5_au_3" { benchmark "nist_800_53_rev_5_au_3_a" { title = "AU-3(a)" - description = "Ensure that audit records contain information that establishes the following: a. What type of event occurred;" + description = "Ensure that audit records contain information that establishes the following: a. What type of event occurred." children = [ control.apigateway_stage_logging_enabled, control.cloudtrail_multi_region_trail_enabled, @@ -80,7 +80,7 @@ benchmark "nist_800_53_rev_5_au_3_a" { control.redshift_cluster_encryption_logging_enabled, control.s3_bucket_logging_enabled, control.vpc_flow_logs_enabled, - control.wafv2_web_acl_logging_enabled, + control.wafv2_web_acl_logging_enabled ] tags = local.nist_800_53_rev_5_common_tags @@ -88,7 +88,7 @@ benchmark "nist_800_53_rev_5_au_3_a" { benchmark "nist_800_53_rev_5_au_3_b" { title = "AU-3(b)" - description = "Ensure that audit records contain information that establishes the following: b. When the event occurred;" + description = "Ensure that audit records contain information that establishes the following: b. When the event occurred." children = [ control.apigateway_stage_logging_enabled, control.cloudtrail_multi_region_trail_enabled, @@ -100,7 +100,7 @@ benchmark "nist_800_53_rev_5_au_3_b" { control.redshift_cluster_encryption_logging_enabled, control.s3_bucket_logging_enabled, control.vpc_flow_logs_enabled, - control.wafv2_web_acl_logging_enabled, + control.wafv2_web_acl_logging_enabled ] tags = local.nist_800_53_rev_5_common_tags @@ -108,7 +108,7 @@ benchmark "nist_800_53_rev_5_au_3_b" { benchmark "nist_800_53_rev_5_au_3_c" { title = "AU-3(c)" - description = "Ensure that audit records contain information that establishes the following: c. Where the event occurred;" + description = "Ensure that audit records contain information that establishes the following: c. Where the event occurred." children = [ control.apigateway_stage_logging_enabled, control.cloudtrail_multi_region_trail_enabled, @@ -120,7 +120,7 @@ benchmark "nist_800_53_rev_5_au_3_c" { control.redshift_cluster_encryption_logging_enabled, control.s3_bucket_logging_enabled, control.vpc_flow_logs_enabled, - control.wafv2_web_acl_logging_enabled, + control.wafv2_web_acl_logging_enabled ] tags = local.nist_800_53_rev_5_common_tags @@ -128,7 +128,7 @@ benchmark "nist_800_53_rev_5_au_3_c" { benchmark "nist_800_53_rev_5_au_3_d" { title = "AU-3(d)" - description = "Ensure that audit records contain information that establishes the following: d. Source of the event;" + description = "Ensure that audit records contain information that establishes the following: d. Source of the event." children = [ control.apigateway_stage_logging_enabled, control.cloudtrail_multi_region_trail_enabled, @@ -140,7 +140,7 @@ benchmark "nist_800_53_rev_5_au_3_d" { control.redshift_cluster_encryption_logging_enabled, control.s3_bucket_logging_enabled, control.vpc_flow_logs_enabled, - control.wafv2_web_acl_logging_enabled, + control.wafv2_web_acl_logging_enabled ] tags = local.nist_800_53_rev_5_common_tags @@ -148,7 +148,7 @@ benchmark "nist_800_53_rev_5_au_3_d" { benchmark "nist_800_53_rev_5_au_3_e" { title = "AU-3(e)" - description = "Ensure that audit records contain information that establishes the following: e. Outcome of the event;" + description = "Ensure that audit records contain information that establishes the following: e. Outcome of the event." children = [ control.apigateway_stage_logging_enabled, control.cloudtrail_multi_region_trail_enabled, @@ -160,7 +160,7 @@ benchmark "nist_800_53_rev_5_au_3_e" { control.redshift_cluster_encryption_logging_enabled, control.s3_bucket_logging_enabled, control.vpc_flow_logs_enabled, - control.wafv2_web_acl_logging_enabled, + control.wafv2_web_acl_logging_enabled ] tags = local.nist_800_53_rev_5_common_tags @@ -168,7 +168,7 @@ benchmark "nist_800_53_rev_5_au_3_e" { benchmark "nist_800_53_rev_5_au_3_f" { title = "AU-3(f)" - description = "Ensure that audit records contain information that establishes the following: e. Outcome of the event;" + description = "Ensure that audit records contain information that establishes the following: e. Outcome of the event." children = [ control.apigateway_stage_logging_enabled, control.cloudtrail_multi_region_trail_enabled, @@ -179,7 +179,7 @@ benchmark "nist_800_53_rev_5_au_3_f" { control.rds_db_instance_logging_enabled, control.redshift_cluster_encryption_logging_enabled, control.s3_bucket_logging_enabled, - control.wafv2_web_acl_logging_enabled, + control.wafv2_web_acl_logging_enabled ] tags = local.nist_800_53_rev_5_common_tags @@ -238,7 +238,7 @@ benchmark "nist_800_53_rev_5_au_6_1" { control.cloudtrail_trail_integrated_with_logs, control.cloudwatch_alarm_action_enabled, control.guardduty_enabled, - control.securityhub_enabled, + control.securityhub_enabled ] tags = local.nist_800_53_rev_5_common_tags @@ -259,7 +259,7 @@ benchmark "nist_800_53_rev_5_au_6_3" { control.redshift_cluster_encryption_logging_enabled, control.s3_bucket_logging_enabled, control.vpc_flow_logs_enabled, - control.wafv2_web_acl_logging_enabled, + control.wafv2_web_acl_logging_enabled ] tags = local.nist_800_53_rev_5_common_tags @@ -293,7 +293,7 @@ benchmark "nist_800_53_rev_5_au_6_5" { control.cloudtrail_trail_integrated_with_logs, control.cloudwatch_alarm_action_enabled, control.guardduty_enabled, - control.securityhub_enabled, + control.securityhub_enabled ] tags = local.nist_800_53_rev_5_common_tags @@ -314,7 +314,7 @@ benchmark "nist_800_53_rev_5_au_6_6" { control.redshift_cluster_encryption_logging_enabled, control.s3_bucket_logging_enabled, control.vpc_flow_logs_enabled, - control.wafv2_web_acl_logging_enabled, + control.wafv2_web_acl_logging_enabled ] tags = local.nist_800_53_rev_5_common_tags @@ -335,7 +335,7 @@ benchmark "nist_800_53_rev_5_au_6_9" { control.redshift_cluster_encryption_logging_enabled, control.s3_bucket_logging_enabled, control.vpc_flow_logs_enabled, - control.wafv2_web_acl_logging_enabled, + control.wafv2_web_acl_logging_enabled ] tags = local.nist_800_53_rev_5_common_tags @@ -385,7 +385,7 @@ benchmark "nist_800_53_rev_5_au_8_b" { control.redshift_cluster_encryption_logging_enabled, control.s3_bucket_logging_enabled, control.vpc_flow_logs_enabled, - control.wafv2_web_acl_logging_enabled, + control.wafv2_web_acl_logging_enabled ] tags = local.nist_800_53_rev_5_common_tags @@ -406,7 +406,7 @@ benchmark "nist_800_53_rev_5_au_9" { benchmark "nist_800_53_rev_5_au_9_a" { title = "AU-9(a)" - description = "a. Protect audit information and audit logging tools from unauthorized access, modification, and deletion;" + description = "a. Protect audit information and audit logging tools from unauthorized access, modification, and deletion." children = [ control.cloudtrail_trail_validation_enabled ] @@ -454,7 +454,7 @@ benchmark "nist_800_53_rev_5_au_9_3" { control.sagemaker_endpoint_configuration_encryption_at_rest_enabled, control.sagemaker_notebook_instance_encryption_at_rest_enabled, control.secretsmanager_secret_encrypted_with_kms_cmk, - control.sns_topic_encrypted_at_rest, + control.sns_topic_encrypted_at_rest ] tags = local.nist_800_53_rev_5_common_tags @@ -485,7 +485,7 @@ benchmark "nist_800_53_rev_5_au_10" { control.rds_db_instance_logging_enabled, control.redshift_cluster_encryption_logging_enabled, control.s3_bucket_logging_enabled, - control.wafv2_web_acl_logging_enabled, + control.wafv2_web_acl_logging_enabled ] tags = local.nist_800_53_rev_5_common_tags @@ -496,7 +496,7 @@ benchmark "nist_800_53_rev_5_au_11" { description = "Retain audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements." children = [ benchmark.nist_800_53_rev_5_au_11_1, - control.cloudwatch_log_group_retention_period_365, + control.cloudwatch_log_group_retention_period_365 ] tags = merge(local.nist_800_53_rev_5_common_tags, { @@ -526,7 +526,7 @@ benchmark "nist_800_53_rev_5_au_12" { benchmark.nist_800_53_rev_5_au_12_3, benchmark.nist_800_53_rev_5_au_12_4, benchmark.nist_800_53_rev_5_au_12_a, - benchmark.nist_800_53_rev_5_au_12_c, + benchmark.nist_800_53_rev_5_au_12_c ] tags = local.nist_800_53_rev_5_common_tags @@ -534,7 +534,7 @@ benchmark "nist_800_53_rev_5_au_12" { benchmark "nist_800_53_rev_5_au_12_a" { title = "AU-12(a)" - description = "a. Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on [Assignment: organization-defined system components];" + description = "a. Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on [Assignment: organization-defined system components]." children = [ control.apigateway_stage_logging_enabled, control.cloudtrail_multi_region_trail_enabled, @@ -546,7 +546,7 @@ benchmark "nist_800_53_rev_5_au_12_a" { control.redshift_cluster_encryption_logging_enabled, control.s3_bucket_logging_enabled, control.vpc_flow_logs_enabled, - control.wafv2_web_acl_logging_enabled, + control.wafv2_web_acl_logging_enabled ] tags = local.nist_800_53_rev_5_common_tags @@ -566,7 +566,7 @@ benchmark "nist_800_53_rev_5_au_12_c" { control.redshift_cluster_encryption_logging_enabled, control.s3_bucket_logging_enabled, control.vpc_flow_logs_enabled, - control.wafv2_web_acl_logging_enabled, + control.wafv2_web_acl_logging_enabled ] tags = local.nist_800_53_rev_5_common_tags @@ -587,7 +587,7 @@ benchmark "nist_800_53_rev_5_au_12_1" { control.redshift_cluster_encryption_logging_enabled, control.s3_bucket_logging_enabled, control.vpc_flow_logs_enabled, - control.wafv2_web_acl_logging_enabled, + control.wafv2_web_acl_logging_enabled ] tags = local.nist_800_53_rev_5_common_tags @@ -608,7 +608,7 @@ benchmark "nist_800_53_rev_5_au_12_2" { control.redshift_cluster_encryption_logging_enabled, control.s3_bucket_logging_enabled, control.vpc_flow_logs_enabled, - control.wafv2_web_acl_logging_enabled, + control.wafv2_web_acl_logging_enabled ] tags = local.nist_800_53_rev_5_common_tags @@ -637,7 +637,7 @@ benchmark "nist_800_53_rev_5_au_12_3" { control.s3_bucket_logging_enabled, control.securityhub_enabled, control.vpc_flow_logs_enabled, - control.wafv2_web_acl_logging_enabled, + control.wafv2_web_acl_logging_enabled ] tags = local.nist_800_53_rev_5_common_tags @@ -657,7 +657,7 @@ benchmark "nist_800_53_rev_5_au_12_4" { control.redshift_cluster_encryption_logging_enabled, control.s3_bucket_logging_enabled, control.vpc_flow_logs_enabled, - control.wafv2_web_acl_logging_enabled, + control.wafv2_web_acl_logging_enabled ] tags = local.nist_800_53_rev_5_common_tags @@ -677,7 +677,7 @@ benchmark "nist_800_53_rev_5_au_14" { benchmark "nist_800_53_rev_5_au_14_a" { title = "AU-14(a)" - description = "a. Provide and implement the capability for [Assignment: organization-defined users or roles] to [Selection (one or more): record; view; hear; log] the content of a user session under [Assignment: organization-defined circumstances];" + description = "a. Provide and implement the capability for [Assignment: organization-defined users or roles] to [Selection (one or more): record; view; hear; log] the content of a user session under [Assignment: organization-defined circumstances]." children = [ control.apigateway_stage_logging_enabled, control.autoscaling_group_with_lb_use_health_check, @@ -698,7 +698,7 @@ benchmark "nist_800_53_rev_5_au_14_a" { control.s3_bucket_logging_enabled, control.securityhub_enabled, control.vpc_flow_logs_enabled, - control.wafv2_web_acl_logging_enabled, + control.wafv2_web_acl_logging_enabled ] tags = local.nist_800_53_rev_5_common_tags @@ -727,7 +727,7 @@ benchmark "nist_800_53_rev_5_au_14_b" { control.s3_bucket_logging_enabled, control.securityhub_enabled, control.vpc_flow_logs_enabled, - control.wafv2_web_acl_logging_enabled, + control.wafv2_web_acl_logging_enabled ] tags = local.nist_800_53_rev_5_common_tags @@ -747,7 +747,7 @@ benchmark "nist_800_53_rev_5_au_14_3" { control.redshift_cluster_encryption_logging_enabled, control.s3_bucket_logging_enabled, control.vpc_flow_logs_enabled, - control.wafv2_web_acl_logging_enabled, + control.wafv2_web_acl_logging_enabled ] tags = local.nist_800_53_rev_5_common_tags diff --git a/nist_800_53_rev_5/ca.sp b/nist_800_53_rev_5/ca.sp index b887ab37..021e26af 100644 --- a/nist_800_53_rev_5/ca.sp +++ b/nist_800_53_rev_5/ca.sp @@ -37,7 +37,7 @@ benchmark "nist_800_53_rev_5_ca_2_2" { benchmark "nist_800_53_rev_5_ca_2_d" { title = "CA-2(d)" - description = "d. Assess the controls in the system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;" + description = "d. Assess the controls in the system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements." children = [ control.guardduty_enabled, control.securityhub_enabled @@ -67,7 +67,7 @@ benchmark "nist_800_53_rev_5_ca_7" { benchmark "nist_800_53_rev_5_ca_7_b" { title = "CA-7(b)" - description = "Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness;" + description = "Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness." children = [ control.apigateway_stage_logging_enabled, control.autoscaling_group_with_lb_use_health_check, @@ -127,7 +127,7 @@ benchmark "nist_800_53_rev_5_ca_9" { benchmark "nist_800_53_rev_5_ca_9_b" { title = "CA-9(b)" - description = "b. Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated;" + description = "b. Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated." children = [ control.apigateway_rest_api_stage_use_ssl_certificate, control.elb_application_lb_redirect_http_request_to_https, @@ -135,7 +135,7 @@ benchmark "nist_800_53_rev_5_ca_9_b" { control.elb_classic_lb_use_tls_https_listeners, control.es_domain_node_to_node_encryption_enabled, control.redshift_cluster_encryption_in_transit_enabled, - control.s3_bucket_enforces_ssl, + control.s3_bucket_enforces_ssl ] tags = local.nist_800_53_rev_5_common_tags diff --git a/nist_800_53_rev_5/cm.sp b/nist_800_53_rev_5/cm.sp index e4377295..e328af94 100644 --- a/nist_800_53_rev_5/cm.sp +++ b/nist_800_53_rev_5/cm.sp @@ -29,14 +29,14 @@ benchmark "nist_800_53_rev_5_cm_2" { benchmark "nist_800_53_rev_5_cm_2_a" { title = "CM-2(a)" - description = "a. Develop, document, and maintain under configuration control, a current baseline configuration of the system;" + description = "a. Develop, document, and maintain under configuration control, a current baseline configuration of the system." children = [ control.ebs_volume_unsued, control.ec2_instance_ssm_managed, control.ec2_stopped_instance_30_days, control.elb_application_lb_deletion_protection_enabled, control.ssm_managed_instance_compliance_association_compliant, - control.vpc_security_group_restrict_ingress_common_ports_all, + control.vpc_security_group_restrict_ingress_common_ports_all ] tags = local.nist_800_53_rev_5_common_tags @@ -54,7 +54,7 @@ benchmark "nist_800_53_rev_5_cm_2_b" { control.ec2_instance_ssm_managed, control.ec2_stopped_instance_30_days, control.redshift_cluster_maintenance_settings_check, - control.ssm_managed_instance_compliance_association_compliant, + control.ssm_managed_instance_compliance_association_compliant ] tags = local.nist_800_53_rev_5_common_tags @@ -62,14 +62,14 @@ benchmark "nist_800_53_rev_5_cm_2_b" { benchmark "nist_800_53_rev_5_cm_2_b_1" { title = "CM-2(b)(1)" - description = "b. Review and update the baseline configuration of the system: 1. [Assignment: organization-defined frequency];" + description = "b. Review and update the baseline configuration of the system: 1. [Assignment: organization-defined frequency]." children = [ control.account_part_of_organizations, control.ebs_volume_unsued, control.ec2_instance_ssm_managed, control.ec2_stopped_instance_30_days, control.redshift_cluster_maintenance_settings_check, - control.ssm_managed_instance_compliance_association_compliant, + control.ssm_managed_instance_compliance_association_compliant ] tags = local.nist_800_53_rev_5_common_tags @@ -77,14 +77,14 @@ benchmark "nist_800_53_rev_5_cm_2_b_1" { benchmark "nist_800_53_rev_5_cm_2_b_2" { title = "CM-2(b)(2)" - description = "b. Review and update the baseline configuration of the system: 2. When required due to [Assignment: organization-defined circumstances];" + description = "b. Review and update the baseline configuration of the system: 2. When required due to [Assignment: organization-defined circumstances]." children = [ control.account_part_of_organizations, control.ebs_volume_unsued, control.ec2_instance_ssm_managed, control.ec2_stopped_instance_30_days, control.redshift_cluster_maintenance_settings_check, - control.ssm_managed_instance_compliance_association_compliant, + control.ssm_managed_instance_compliance_association_compliant ] tags = local.nist_800_53_rev_5_common_tags @@ -94,12 +94,12 @@ benchmark "nist_800_53_rev_5_cm_2_b_3" { title = "CM-2(b)(3)" description = "b. Review and update the baseline configuration of the system: 3 When system components are installed or upgraded." children = [ - control.ec2_instance_ssm_managed, control.account_part_of_organizations, - control.ssm_managed_instance_compliance_association_compliant, - control.ec2_stopped_instance_30_days, control.ebs_volume_unsued, + control.ec2_instance_ssm_managed, + control.ec2_stopped_instance_30_days, control.redshift_cluster_maintenance_settings_check, + control.ssm_managed_instance_compliance_association_compliant ] tags = local.nist_800_53_rev_5_common_tags @@ -133,7 +133,7 @@ benchmark "nist_800_53_rev_5_cm_3" { benchmark "nist_800_53_rev_5_cm_3_a" { title = "CM-3(a)" - description = "a. Determine and document the types of changes to the system that are configuration-controlled;" + description = "a. Determine and document the types of changes to the system that are configuration-controlled." children = [ control.elb_application_lb_deletion_protection_enabled, control.rds_db_instance_deletion_protection_enabled @@ -151,7 +151,7 @@ benchmark "nist_800_53_rev_5_cm_3_3" { control.ec2_instance_ssm_managed, control.ec2_stopped_instance_30_days, control.redshift_cluster_maintenance_settings_check, - control.ssm_managed_instance_compliance_association_compliant, + control.ssm_managed_instance_compliance_association_compliant ] tags = local.nist_800_53_rev_5_common_tags @@ -180,7 +180,7 @@ benchmark "nist_800_53_rev_5_cm_5_1" { benchmark "nist_800_53_rev_5_cm_5_1_a" { title = "CM-5(1)(a)" - description = "(a) Enforce access restrictions using [Assignment: organization-defined automated mechanisms];" + description = "(a) Enforce access restrictions using [Assignment: organization-defined automated mechanisms]." children = [ control.ec2_instance_iam_profile_attached, control.ec2_instance_uses_imdsv2, @@ -199,8 +199,7 @@ benchmark "nist_800_53_rev_5_cm_5_1_a" { control.iam_user_unused_credentials_90, control.secretsmanager_secret_automatic_rotation_enabled, control.secretsmanager_secret_rotated_as_scheduled, - control.secretsmanager_secret_unused_90_day, - + control.secretsmanager_secret_unused_90_day ] tags = local.nist_800_53_rev_5_common_tags @@ -228,7 +227,7 @@ benchmark "nist_800_53_rev_5_cm_5_1_b" { benchmark "nist_800_53_rev_5_cm_6" { title = "Configuration Settings (CM-6)" - description = "The organization: (i) establishes mandatory configuration settings for information technology products employed within the information system; (ii) configures the security settings of information technology products to the most restrictive mode consistent with operational requirements; (iii) documents the configuration settings; and (iv) enforces the configuration settings in all components of the information system" + description = "The organization: (i) establishes mandatory configuration settings for information technology products employed within the information system; (ii) configures the security settings of information technology products to the most restrictive mode consistent with operational requirements; (iii) documents the configuration settings; and (iv) enforces the configuration settings in all components of the information system." children = [ benchmark.nist_800_53_rev_5_cm_6_a, control.ec2_instance_ssm_managed, @@ -240,7 +239,7 @@ benchmark "nist_800_53_rev_5_cm_6" { benchmark "nist_800_53_rev_5_cm_6_a" { title = "CM-6(a)" - description = "a. Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: organization-defined common secure configurations];" + description = "a. Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: organization-defined common secure configurations]." children = [ control.account_part_of_organizations, control.autoscaling_group_with_lb_use_health_check, @@ -274,7 +273,7 @@ benchmark "nist_800_53_rev_5_cm_6_a" { control.s3_public_access_block_account, control.vpc_default_security_group_restricts_all_traffic, control.vpc_flow_logs_enabled, - control.vpc_security_group_restrict_ingress_common_ports_all, + control.vpc_security_group_restrict_ingress_common_ports_all ] tags = local.nist_800_53_rev_5_common_tags @@ -318,7 +317,7 @@ benchmark "nist_800_53_rev_5_cm_8" { benchmark "nist_800_53_rev_5_cm_8_a" { title = "CM-8(a)" - description = "a. Develop and document an inventory of system components that: 1. Accurately reflects the system; 2. Includes all components within the system; 3. Does not include duplicate accounting of components or components assigned to any other system; 4. Is at the level of granularity deemed necessary for tracking and reporting; and 5. Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability];" + description = "a. Develop and document an inventory of system components that: 1. Accurately reflects the system; 2. Includes all components within the system; 3. Does not include duplicate accounting of components or components assigned to any other system; 4. Is at the level of granularity deemed necessary for tracking and reporting; and 5. Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability]." children = [ benchmark.nist_800_53_rev_5_cm_8_a_1, benchmark.nist_800_53_rev_5_cm_8_a_2, @@ -334,7 +333,7 @@ benchmark "nist_800_53_rev_5_cm_8_a" { benchmark "nist_800_53_rev_5_cm_8_a_1" { title = "CM-8(a)(1)" - description = "a. Develop and document an inventory of system components that: 1. Accurately reflects the system;" + description = "a. Develop and document an inventory of system components that: 1. Accurately reflects the system." children = [ control.ec2_instance_ssm_managed, control.ssm_managed_instance_compliance_association_compliant @@ -345,7 +344,7 @@ benchmark "nist_800_53_rev_5_cm_8_a_1" { benchmark "nist_800_53_rev_5_cm_8_a_2" { title = "CM-8(a)(2)" - description = "a. Develop and document an inventory of system components that: 2. Includes all components within the system;" + description = "a. Develop and document an inventory of system components that: 2. Includes all components within the system." children = [ control.ec2_instance_ssm_managed, control.ssm_managed_instance_compliance_association_compliant @@ -356,7 +355,7 @@ benchmark "nist_800_53_rev_5_cm_8_a_2" { benchmark "nist_800_53_rev_5_cm_8_a_3" { title = "CM-8(a)(3)" - description = "a. Develop and document an inventory of system components that: 3. Does not include duplicate accounting of components or components assigned to any other system;" + description = "a. Develop and document an inventory of system components that: 3. Does not include duplicate accounting of components or components assigned to any other system." children = [ control.ec2_instance_ssm_managed, control.ssm_managed_instance_compliance_association_compliant @@ -367,7 +366,7 @@ benchmark "nist_800_53_rev_5_cm_8_a_3" { benchmark "nist_800_53_rev_5_cm_8_a_4" { title = "CM-8(a)(4)" - description = "a. Develop and document an inventory of system components that: 4. Is at the level of granularity deemed necessary for tracking and reporting;" + description = "a. Develop and document an inventory of system components that: 4. Is at the level of granularity deemed necessary for tracking and reporting." children = [ control.ec2_instance_ssm_managed, control.ssm_managed_instance_compliance_association_compliant @@ -378,7 +377,7 @@ benchmark "nist_800_53_rev_5_cm_8_a_4" { benchmark "nist_800_53_rev_5_cm_8_a_5" { title = "CM-8(a)(5)" - description = "a. Develop and document an inventory of system components that: 5. Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability];" + description = "a. Develop and document an inventory of system components that: 5. Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability]." children = [ control.ec2_instance_ssm_managed, control.ssm_managed_instance_compliance_association_compliant, @@ -431,7 +430,7 @@ benchmark "nist_800_53_rev_5_cm_8_3" { benchmark "nist_800_53_rev_5_cm_8_3_a" { title = "CM-8(3)(a)" - description = "(a) Detect the presence of unauthorized hardware, software, and firmware components within the system using [Assignment: organization-defined automated mechanisms] [Assignment: organization-defined frequency];" + description = "(a) Detect the presence of unauthorized hardware, software, and firmware components within the system using [Assignment: organization-defined automated mechanisms] [Assignment: organization-defined frequency]." children = [ control.ec2_instance_ssm_managed, control.guardduty_enabled, @@ -469,7 +468,7 @@ benchmark "nist_800_53_rev_5_cm_9" { benchmark "nist_800_53_rev_5_cm_9_b" { title = "CM-9(b)" - description = "Develop, document, and implement a configuration management plan for the system that: b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;" + description = "Develop, document, and implement a configuration management plan for the system that: b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items." children = [ control.account_part_of_organizations, control.autoscaling_group_with_lb_use_health_check, @@ -502,7 +501,7 @@ benchmark "nist_800_53_rev_5_cm_9_b" { control.vpc_default_security_group_restricts_all_traffic, control.vpc_flow_logs_enabled, control.vpc_security_group_restrict_ingress_common_ports_all, - control.vpc_security_group_restrict_ingress_ssh_all, + control.vpc_security_group_restrict_ingress_ssh_all ] tags = local.nist_800_53_rev_5_common_tags @@ -520,7 +519,7 @@ benchmark "nist_800_53_rev_5_cm_12" { benchmark "nist_800_53_rev_5_cm_12_b" { title = "CM-12(b)" - description = "b. Identify and document the users who have access to the system and system components where the information is processed and stored;" + description = "b. Identify and document the users who have access to the system and system components where the information is processed and stored." children = [ control.iam_account_password_policy_min_length_14 ] diff --git a/nist_800_53_rev_5/cp.sp b/nist_800_53_rev_5/cp.sp index 95cd8cc4..9396b346 100644 --- a/nist_800_53_rev_5/cp.sp +++ b/nist_800_53_rev_5/cp.sp @@ -25,7 +25,7 @@ benchmark "nist_800_53_rev_5_cp_1" { benchmark "nist_800_53_rev_5_cp_1_a" { title = "CP-1(a)" - description = "a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] contingency planning policy that: a). Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b). Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls;" + description = "a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] contingency planning policy that: a). Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and b). Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2. Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls." children = [ benchmark.nist_800_53_rev_5_cp_1_a_2, benchmark.nist_800_53_rev_5_cp_1_a_1_b @@ -36,14 +36,14 @@ benchmark "nist_800_53_rev_5_cp_1_a" { benchmark "nist_800_53_rev_5_cp_1_a_1_b" { title = "CP-1(a)(1)(b)" - description = "a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] contingency planning policy that: (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;" + description = "a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] contingency planning policy that: (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." children = [ control.dynamodb_table_auto_scaling_enabled, control.elb_application_lb_deletion_protection_enabled, control.elb_classic_lb_cross_zone_load_balancing_enabled, control.rds_db_instance_deletion_protection_enabled, control.rds_db_instance_multiple_az_enabled, - control.vpc_vpn_tunnel_up, + control.vpc_vpn_tunnel_up ] tags = local.nist_800_53_rev_5_common_tags @@ -51,14 +51,14 @@ benchmark "nist_800_53_rev_5_cp_1_a_1_b" { benchmark "nist_800_53_rev_5_cp_1_a_2" { title = "CP-1(a)(2)" - description = "a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 2. Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls;" + description = "a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: 2. Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls." children = [ control.dynamodb_table_auto_scaling_enabled, control.elb_application_lb_deletion_protection_enabled, control.elb_classic_lb_cross_zone_load_balancing_enabled, control.rds_db_instance_deletion_protection_enabled, control.rds_db_instance_multiple_az_enabled, - control.vpc_vpn_tunnel_up, + control.vpc_vpn_tunnel_up ] tags = local.nist_800_53_rev_5_common_tags @@ -92,7 +92,6 @@ benchmark "nist_800_53_rev_5_cp_2" { benchmark.nist_800_53_rev_5_cp_2_e, benchmark.nist_800_53_rev_5_cp_2_5, benchmark.nist_800_53_rev_5_cp_2_6 - ] tags = local.nist_800_53_rev_5_common_tags @@ -100,7 +99,7 @@ benchmark "nist_800_53_rev_5_cp_2" { benchmark "nist_800_53_rev_5_cp_2_a" { title = "CP-2(a)" - description = "a. Develop a contingency plan for the system that: 1. Identifies essential mission and business functions and associated contingency requirements; 2. Provides recovery objectives, restoration priorities, and metrics; 3. Addresses contingency roles, responsibilities, assigned individuals with contact information; 4. Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure; 5. Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented; 6. Addresses the sharing of contingency information; and 7. Is reviewed and approved by [Assignment: organization-defined personnel or roles];" + description = "a. Develop a contingency plan for the system that: 1. Identifies essential mission and business functions and associated contingency requirements; 2. Provides recovery objectives, restoration priorities, and metrics; 3. Addresses contingency roles, responsibilities, assigned individuals with contact information; 4. Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure; 5. Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented; 6. Addresses the sharing of contingency information; and 7. Is reviewed and approved by [Assignment: organization-defined personnel or roles]." children = [ benchmark.nist_800_53_rev_5_cp_2_a_6, benchmark.nist_800_53_rev_5_cp_2_a_7, @@ -117,7 +116,7 @@ benchmark "nist_800_53_rev_5_cp_2_a" { benchmark "nist_800_53_rev_5_cp_2_a_6" { title = "CP-2(a)(6)" - description = "a. Develop a contingency plan for the system that: 6. Addresses the sharing of contingency information;" + description = "a. Develop a contingency plan for the system that: 6. Addresses the sharing of contingency information." children = [ control.dynamodb_table_auto_scaling_enabled, control.elb_application_lb_deletion_protection_enabled, @@ -132,7 +131,7 @@ benchmark "nist_800_53_rev_5_cp_2_a_6" { benchmark "nist_800_53_rev_5_cp_2_a_7" { title = "CP-2(a)(7)" - description = "a. Develop a contingency plan for the system that: 7. Is reviewed and approved by [Assignment: organization-defined personnel or roles];" + description = "a. Develop a contingency plan for the system that: 7. Is reviewed and approved by [Assignment: organization-defined personnel or roles]." children = [ control.dynamodb_table_auto_scaling_enabled, control.elb_application_lb_deletion_protection_enabled, @@ -147,7 +146,7 @@ benchmark "nist_800_53_rev_5_cp_2_a_7" { benchmark "nist_800_53_rev_5_cp_2_d" { title = "CP-2(d)" - description = "d. Review the contingency plan for the system [Assignment: organization-defined frequency];" + description = "d. Review the contingency plan for the system [Assignment: organization-defined frequency]" children = [ control.dynamodb_table_auto_scaling_enabled, control.elb_application_lb_deletion_protection_enabled, @@ -162,14 +161,14 @@ benchmark "nist_800_53_rev_5_cp_2_d" { benchmark "nist_800_53_rev_5_cp_2_e" { title = "CP-2(e)" - description = "e. Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;" + description = "e. Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing." children = [ control.dynamodb_table_auto_scaling_enabled, control.elb_application_lb_deletion_protection_enabled, control.elb_classic_lb_cross_zone_load_balancing_enabled, control.rds_db_instance_deletion_protection_enabled, control.rds_db_instance_multiple_az_enabled, - control.vpc_vpn_tunnel_up, + control.vpc_vpn_tunnel_up ] tags = local.nist_800_53_rev_5_common_tags @@ -208,7 +207,7 @@ benchmark "nist_800_53_rev_5_cp_2_6" { control.dynamodb_table_auto_scaling_enabled, control.elb_classic_lb_cross_zone_load_balancing_enabled, control.rds_db_instance_multiple_az_enabled, - control.vpc_vpn_tunnel_up, + control.vpc_vpn_tunnel_up ] tags = local.nist_800_53_rev_5_common_tags @@ -228,7 +227,7 @@ benchmark "nist_800_53_rev_5_cp_6" { benchmark "nist_800_53_rev_5_cp_6_a" { title = "CP-6(a)" - description = "a. Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information;" + description = "a. Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information." children = [ control.dynamodb_table_in_backup_plan, control.ebs_volume_in_backup_plan, @@ -293,7 +292,7 @@ benchmark "nist_800_53_rev_5_cp_9" { benchmark.nist_800_53_rev_5_cp_9_a, benchmark.nist_800_53_rev_5_cp_9_b, benchmark.nist_800_53_rev_5_cp_9_c, - benchmark.nist_800_53_rev_5_cp_9_d, + benchmark.nist_800_53_rev_5_cp_9_d ] tags = local.nist_800_53_rev_5_common_tags @@ -301,7 +300,7 @@ benchmark "nist_800_53_rev_5_cp_9" { benchmark "nist_800_53_rev_5_cp_9_a" { title = "CP-9(a)" - description = "a. Conduct backups of user-level information contained in [Assignment: organization-defined system components] [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];" + description = "a. Conduct backups of user-level information contained in [Assignment: organization-defined system components] [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]." children = [ control.dynamodb_table_in_backup_plan, control.dynamodb_table_point_in_time_recovery_enabled, @@ -322,7 +321,7 @@ benchmark "nist_800_53_rev_5_cp_9_a" { benchmark "nist_800_53_rev_5_cp_9_b" { title = "CP-9(b)" - description = "b. Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];" + description = "b. Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]." children = [ control.dynamodb_table_in_backup_plan, control.dynamodb_table_point_in_time_recovery_enabled, @@ -335,7 +334,7 @@ benchmark "nist_800_53_rev_5_cp_9_b" { control.redshift_cluster_automatic_snapshots_min_7_days, control.redshift_cluster_maintenance_settings_check, control.s3_bucket_cross_region_replication_enabled, - control.s3_bucket_versioning_enabled, + control.s3_bucket_versioning_enabled ] tags = local.nist_800_53_rev_5_common_tags @@ -343,7 +342,7 @@ benchmark "nist_800_53_rev_5_cp_9_b" { benchmark "nist_800_53_rev_5_cp_9_c" { title = "CP-9(c)" - description = "c. Conduct backups of system documentation, including security- and privacy-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];" + description = "c. Conduct backups of system documentation, including security- and privacy-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]." children = [ control.dynamodb_table_in_backup_plan, control.ebs_volume_in_backup_plan, @@ -356,7 +355,7 @@ benchmark "nist_800_53_rev_5_cp_9_c" { control.elasticache_redis_cluster_automatic_backup_retention_15_days, control.redshift_cluster_maintenance_settings_check, control.s3_bucket_cross_region_replication_enabled, - control.s3_bucket_versioning_enabled, + control.s3_bucket_versioning_enabled ] tags = local.nist_800_53_rev_5_common_tags @@ -383,7 +382,7 @@ benchmark "nist_800_53_rev_5_cp_9_d" { control.sagemaker_endpoint_configuration_encryption_at_rest_enabled, control.sagemaker_notebook_instance_encryption_at_rest_enabled, control.secretsmanager_secret_encrypted_with_kms_cmk, - control.sns_topic_encrypted_at_rest, + control.sns_topic_encrypted_at_rest ] tags = local.nist_800_53_rev_5_common_tags @@ -420,7 +419,7 @@ benchmark "nist_800_53_rev_5_cp_10" { control.redshift_cluster_automatic_snapshots_min_7_days, control.s3_bucket_cross_region_replication_enabled, control.s3_bucket_versioning_enabled, - control.vpc_vpn_tunnel_up, + control.vpc_vpn_tunnel_up ] tags = local.nist_800_53_rev_5_common_tags @@ -439,7 +438,7 @@ benchmark "nist_800_53_rev_5_cp_10_2" { control.rds_db_instance_in_backup_plan, control.redshift_cluster_automatic_snapshots_min_7_days, control.s3_bucket_cross_region_replication_enabled, - control.s3_bucket_versioning_enabled, + control.s3_bucket_versioning_enabled ] tags = local.nist_800_53_rev_5_common_tags diff --git a/nist_800_53_rev_5/ia.sp b/nist_800_53_rev_5/ia.sp index df4285c8..f52b90bb 100644 --- a/nist_800_53_rev_5/ia.sp +++ b/nist_800_53_rev_5/ia.sp @@ -76,12 +76,12 @@ benchmark "nist_800_53_rev_5_ia_2_6" { benchmark "nist_800_53_rev_5_ia_2_6_a" { title = "IA-2(6)(a)" - description = "Implement multi-factor authentication for [Selection (one or more): local; network; remote] access to [Selection (one or more): privileged accounts; non-privileged accounts] such that: (a) One of the factors is provided by a device separate from the system gaining access;" + description = "Implement multi-factor authentication for [Selection (one or more): local; network; remote] access to [Selection (one or more): privileged accounts; non-privileged accounts] such that: (a) One of the factors is provided by a device separate from the system gaining access." children = [ control.iam_root_user_hardware_mfa_enabled, control.iam_root_user_mfa_enabled, control.iam_user_console_access_mfa_enabled, - control.iam_user_mfa_enabled, + control.iam_user_mfa_enabled ] tags = merge(local.nist_800_53_rev_5_common_tags, { @@ -96,7 +96,7 @@ benchmark "nist_800_53_rev_5_ia_2_8" { control.iam_root_user_hardware_mfa_enabled, control.iam_root_user_mfa_enabled, control.iam_user_console_access_mfa_enabled, - control.iam_user_mfa_enabled, + control.iam_user_mfa_enabled ] tags = merge(local.nist_800_53_rev_5_common_tags, { @@ -139,7 +139,7 @@ benchmark "nist_800_53_rev_5_ia_3_3_b" { control.rds_db_instance_logging_enabled, control.redshift_cluster_encryption_logging_enabled, control.s3_bucket_logging_enabled, - control.vpc_flow_logs_enabled, + control.vpc_flow_logs_enabled ] tags = local.nist_800_53_rev_5_common_tags @@ -162,7 +162,7 @@ benchmark "nist_800_53_rev_5_ia_4" { benchmark "nist_800_53_rev_5_ia_4_b" { title = "IA-4(b)" - description = "Manage system identifiers by: b. Selecting an identifier that identifies an individual, group, role, service, or device;" + description = "Manage system identifiers by: b. Selecting an identifier that identifies an individual, group, role, service, or device." children = [ control.iam_root_user_no_access_keys ] @@ -228,9 +228,9 @@ benchmark "nist_800_53_rev_5_ia_5" { benchmark "nist_800_53_rev_5_ia_5_b" { title = "IA-5(b)" - description = "Manage system authenticators by: b. Establishing initial authenticator content for any authenticators issued by the organization;" + description = "Manage system authenticators by: b. Establishing initial authenticator content for any authenticators issued by the organization." children = [ - control.iam_account_password_policy_min_length_14, + control.iam_account_password_policy_min_length_14 ] tags = merge(local.nist_800_53_rev_5_common_tags, { @@ -240,9 +240,9 @@ benchmark "nist_800_53_rev_5_ia_5_b" { benchmark "nist_800_53_rev_5_ia_5_c" { title = "IA-5(c)" - description = "Manage system authenticators by: c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;" + description = "Manage system authenticators by: c. Ensuring that authenticators have sufficient strength of mechanism for their intended use." children = [ - control.iam_account_password_policy_min_length_14, + control.iam_account_password_policy_min_length_14 ] tags = merge(local.nist_800_53_rev_5_common_tags, { @@ -252,9 +252,9 @@ benchmark "nist_800_53_rev_5_ia_5_c" { benchmark "nist_800_53_rev_5_ia_5_d" { title = "IA-5(d)" - description = "Manage system authenticators by: d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;" + description = "Manage system authenticators by: d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators." children = [ - control.iam_account_password_policy_min_length_14, + control.iam_account_password_policy_min_length_14 ] tags = merge(local.nist_800_53_rev_5_common_tags, { @@ -264,9 +264,9 @@ benchmark "nist_800_53_rev_5_ia_5_d" { benchmark "nist_800_53_rev_5_ia_5_f" { title = "IA-5(f)" - description = "Manage system authenticators by: f. Changing or refreshing authenticators [Assignment: organization-defined time period by authenticator type] or when [Assignment: organization-defined events] occur;" + description = "Manage system authenticators by: f. Changing or refreshing authenticators [Assignment: organization-defined time period by authenticator type] or when [Assignment: organization-defined events] occur." children = [ - control.iam_account_password_policy_min_length_14, + control.iam_account_password_policy_min_length_14 ] tags = merge(local.nist_800_53_rev_5_common_tags, { @@ -276,9 +276,9 @@ benchmark "nist_800_53_rev_5_ia_5_f" { benchmark "nist_800_53_rev_5_ia_5_h" { title = "IA-5(h)" - description = "Manage system authenticators by: h. Requiring individuals to take, and having devices implement, specific controls to protect authenticators;" + description = "Manage system authenticators by: h. Requiring individuals to take, and having devices implement, specific controls to protect authenticators." children = [ - control.iam_account_password_policy_min_length_14, + control.iam_account_password_policy_min_length_14 ] tags = merge(local.nist_800_53_rev_5_common_tags, { @@ -301,7 +301,7 @@ benchmark "nist_800_53_rev_5_ia_5_1" { benchmark "nist_800_53_rev_5_ia_5_1_c" { title = "IA-5(1)(c)" - description = "For password-based authentication: (c) Transmit passwords only over cryptographically-protected channels;" + description = "For password-based authentication: (c) Transmit passwords only over cryptographically-protected channels." children = [ control.apigateway_rest_api_stage_use_ssl_certificate, control.elb_application_lb_redirect_http_request_to_https, @@ -315,7 +315,7 @@ benchmark "nist_800_53_rev_5_ia_5_1_c" { benchmark "nist_800_53_rev_5_ia_5_1_f" { title = "IA-5(1)(f)" - description = "For password-based authentication: (f) Allow user selection of long passwords and passphrases, including spaces and all printable characters;" + description = "For password-based authentication: (f) Allow user selection of long passwords and passphrases, including spaces and all printable characters." children = [ control.iam_account_password_policy_min_length_14 ] @@ -327,7 +327,7 @@ benchmark "nist_800_53_rev_5_ia_5_1_f" { benchmark "nist_800_53_rev_5_ia_5_1_g" { title = "IA-5(1)(g)" - description = "For password-based authentication: (g) Employ automated tools to assist the user in selecting strong password authenticators;" + description = "For password-based authentication: (g) Employ automated tools to assist the user in selecting strong password authenticators." children = [ control.iam_account_password_policy_min_length_14 ] @@ -376,7 +376,7 @@ benchmark "nist_800_53_rev_5_ia_5_18" { benchmark "nist_800_53_rev_5_ia_5_18_a" { title = "IA-5(18)(a)" - description = "(a) Employ [Assignment: organization-defined password managers] to generate and manage passwords;" + description = "(a) Employ [Assignment: organization-defined password managers] to generate and manage passwords." children = [ control.iam_account_password_policy_min_length_14 ] diff --git a/nist_800_53_rev_5/ir.sp b/nist_800_53_rev_5/ir.sp index 2fd774b9..89e27f76 100644 --- a/nist_800_53_rev_5/ir.sp +++ b/nist_800_53_rev_5/ir.sp @@ -24,7 +24,7 @@ benchmark "nist_800_53_rev_5_ir_4" { benchmark "nist_800_53_rev_5_ir_4_a" { title = "IR-4(a)" - description = "a. Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;" + description = "a. Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery." children = [ control.guardduty_finding_archived ] diff --git a/nist_800_53_rev_5/ma.sp b/nist_800_53_rev_5/ma.sp index 3dc28c4c..f1f11a31 100644 --- a/nist_800_53_rev_5/ma.sp +++ b/nist_800_53_rev_5/ma.sp @@ -2,7 +2,7 @@ benchmark "nist_800_53_rev_5_ma" { title = "Maintenance (MA)" description = "The MA controls in NIST 800-53 revision five detail requirements for maintaining organizational systems and the tools used." children = [ - benchmark.nist_800_53_rev_5_ma_4, + benchmark.nist_800_53_rev_5_ma_4 ] tags = local.nist_800_53_rev_5_common_tags @@ -21,7 +21,7 @@ benchmark "nist_800_53_rev_5_ma_4" { benchmark "nist_800_53_rev_5_ma_4_c" { title = "MA-4(c)" - description = "c. Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions;" + description = "c. Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions." children = [ control.iam_account_password_policy_min_length_14 ] @@ -35,7 +35,7 @@ benchmark "nist_800_53_rev_5_ma_4_1" { title = "MA-4(1) Logging And Review" description = "a. Log [Assignment: organization-defined audit events] for nonlocal maintenance and diagnostic sessions; and b. Review the audit records of the maintenance and diagnostic sessions to detect anomalous behavior." children = [ - benchmark.nist_800_53_rev_5_ma_4_1_a, + benchmark.nist_800_53_rev_5_ma_4_1_a ] tags = local.nist_800_53_rev_5_common_tags @@ -43,7 +43,7 @@ benchmark "nist_800_53_rev_5_ma_4_1" { benchmark "nist_800_53_rev_5_ma_4_1_a" { title = "MA-4(1)(a)" - description = "(a) Log [Assignment: organization-defined audit events] for nonlocal maintenance and diagnostic sessions;" + description = "(a) Log [Assignment: organization-defined audit events] for nonlocal maintenance and diagnostic sessions." children = [ control.apigateway_stage_logging_enabled, control.cloudtrail_multi_region_trail_enabled, diff --git a/nist_800_53_rev_5/pe.sp b/nist_800_53_rev_5/pe.sp index 25196f75..f5a1b7f5 100644 --- a/nist_800_53_rev_5/pe.sp +++ b/nist_800_53_rev_5/pe.sp @@ -27,7 +27,7 @@ benchmark "nist_800_53_rev_5_pe_6_2" { title = "PE-6(2) Monitoring Physical Access" description = "Recognize [Assignment: organization-defined classes or types of intrusions] and initiate [Assignment: organization-defined response actions] using [Assignment: organization-defined automated mechanisms]." children = [ - control.guardduty_enabled, + control.guardduty_enabled ] tags = merge(local.nist_800_53_rev_5_common_tags, { @@ -39,7 +39,7 @@ benchmark "nist_800_53_rev_5_pe_6_4" { title = "PE-6(4) Monitoring Physical Access" description = "Monitor physical access to the system in addition to the physical access monitoring of the facility at [Assignment: organization-defined physical spaces containing one or more components of the system]." children = [ - control.guardduty_enabled, + control.guardduty_enabled ] tags = merge(local.nist_800_53_rev_5_common_tags, { diff --git a/nist_800_53_rev_5/pm.sp b/nist_800_53_rev_5/pm.sp index de49ac2e..aaf8f77d 100644 --- a/nist_800_53_rev_5/pm.sp +++ b/nist_800_53_rev_5/pm.sp @@ -25,7 +25,7 @@ benchmark "nist_800_53_rev_5_pm_11" { benchmark "nist_800_53_rev_5_pm_11_b" { title = "PM-11(b)" - description = "b. Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes;" + description = "b. Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes." children = [ control.cloudtrail_trail_validation_enabled, control.s3_bucket_default_encryption_enabled, @@ -49,7 +49,7 @@ benchmark "nist_800_53_rev_5_pm_14" { benchmark "nist_800_53_rev_5_pm_14_a_1" { title = "PM-14(a)(1)" - description = "a. Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems: 1. Are developed and maintained;" + description = "a. Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems: 1. Are developed and maintained." children = [ control.apigateway_stage_logging_enabled, control.autoscaling_group_with_lb_use_health_check, @@ -159,7 +159,7 @@ benchmark "nist_800_53_rev_5_pm_21" { benchmark "nist_800_53_rev_5_pm_21_b" { title = "PM-21(b)" - description = "b. Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer;" + description = "b. Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer." children = [ control.cloudwatch_log_group_retention_period_365 ] diff --git a/nist_800_53_rev_5/ra.sp b/nist_800_53_rev_5/ra.sp index ffdaef75..affef152 100644 --- a/nist_800_53_rev_5/ra.sp +++ b/nist_800_53_rev_5/ra.sp @@ -15,7 +15,7 @@ benchmark "nist_800_53_rev_5_ra_1" { title = "Policy And Procedures (RA-1)" description = "Track risk assessment policies that address purpose, scope, roles, management, and organizational compliance." children = [ - benchmark.nist_800_53_rev_5_ra_1_a, + benchmark.nist_800_53_rev_5_ra_1_a ] tags = merge(local.nist_800_53_rev_5_common_tags, { @@ -25,7 +25,7 @@ benchmark "nist_800_53_rev_5_ra_1" { benchmark "nist_800_53_rev_5_ra_1_a" { title = "RA-1(a)" - description = "a. Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems; and 2. Detect, track, and disrupt threats that evade existing controls;" + description = "a. Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems; and 2. Detect, track, and disrupt threats that evade existing controls." children = [ benchmark.nist_800_53_rev_5_ra_1_a_1, benchmark.nist_800_53_rev_5_ra_1_a_2, @@ -39,9 +39,9 @@ benchmark "nist_800_53_rev_5_ra_1_a" { benchmark "nist_800_53_rev_5_ra_1_a_1" { title = "RA-1(a)(1)" - description = "a. Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems;" + description = "a. Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems." children = [ - control.guardduty_enabled, + control.guardduty_enabled ] tags = merge(local.nist_800_53_rev_5_common_tags, { @@ -51,9 +51,9 @@ benchmark "nist_800_53_rev_5_ra_1_a_1" { benchmark "nist_800_53_rev_5_ra_1_a_2" { title = "RA-1(a)(2)" - description = "a. Establish and maintain a cyber threat hunting capability to: 2. Detect, track, and disrupt threats that evade existing controls;" + description = "a. Establish and maintain a cyber threat hunting capability to: 2. Detect, track, and disrupt threats that evade existing controls." children = [ - control.guardduty_enabled, + control.guardduty_enabled ] tags = merge(local.nist_800_53_rev_5_common_tags, { @@ -76,7 +76,7 @@ benchmark "nist_800_53_rev_5_ra_3_4" { title = "RA-3(4) Predictive Cyber Analytics" description = "Employ the following advanced automation and analytics capabilities to predict and identify risks to [Assignment: organization-defined systems or system components]: [Assignment: organization-defined advanced automation and analytics capabilities]." children = [ - control.guardduty_enabled, + control.guardduty_enabled ] tags = merge(local.nist_800_53_rev_5_common_tags, { @@ -86,7 +86,7 @@ benchmark "nist_800_53_rev_5_ra_3_4" { benchmark "nist_800_53_rev_5_ra_3_a_1" { title = "RA-3(a)(1)" - description = "a. Conduct a risk assessment, including: 1. Identifying threats to and vulnerabilities in the system;" + description = "a. Conduct a risk assessment, including: 1. Identifying threats to and vulnerabilities in the system." children = [ control.guardduty_enabled, control.ssm_managed_instance_compliance_patch_compliant @@ -100,7 +100,7 @@ benchmark "nist_800_53_rev_5_ra_5" { description = "Employ the following advanced automation and analytics capabilities to predict and identify risks to [Assignment: organization-defined systems or system components]: [Assignment: organization-defined advanced automation and analytics capabilities]." children = [ benchmark.nist_800_53_rev_5_ra_5_4, - benchmark.nist_800_53_rev_5_ra_5_a, + benchmark.nist_800_53_rev_5_ra_5_a ] tags = merge(local.nist_800_53_rev_5_common_tags, { @@ -110,9 +110,9 @@ benchmark "nist_800_53_rev_5_ra_5" { benchmark "nist_800_53_rev_5_ra_5_a" { title = "RA-5(a)" - description = "a. Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported;" + description = "a. Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported." children = [ - control.guardduty_enabled, + control.guardduty_enabled ] tags = merge(local.nist_800_53_rev_5_common_tags, { service = "AWS/GuardDuty" @@ -123,7 +123,7 @@ benchmark "nist_800_53_rev_5_ra_5_4" { title = "RA-5(4) Discoverable Information" description = "Determine information about the system that is discoverable and take [Assignment: organization-defined corrective actions]." children = [ - control.guardduty_enabled, + control.guardduty_enabled ] tags = merge(local.nist_800_53_rev_5_common_tags, { @@ -135,7 +135,7 @@ benchmark "nist_800_53_rev_5_ra_10" { title = "Threat Hunting (RA-10)" description = "a. Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems; and 2. Detect, track, and disrupt threats that evade existing controls; and b. Employ the threat hunting capability [Assignment: organization-defined frequency]." children = [ - benchmark.nist_800_53_rev_5_ra_10_a, + benchmark.nist_800_53_rev_5_ra_10_a ] tags = merge(local.nist_800_53_rev_5_common_tags, { @@ -145,11 +145,11 @@ benchmark "nist_800_53_rev_5_ra_10" { benchmark "nist_800_53_rev_5_ra_10_a" { title = "RA-10(a)" - description = "a. Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems; and 2. Detect, track, and disrupt threats that evade existings;" + description = "a. Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems; and 2. Detect, track, and disrupt threats that evade existings." children = [ benchmark.nist_800_53_rev_5_ra_10_a_1, benchmark.nist_800_53_rev_5_ra_10_a_2, - control.guardduty_enabled, + control.guardduty_enabled ] tags = merge(local.nist_800_53_rev_5_common_tags, { @@ -159,9 +159,9 @@ benchmark "nist_800_53_rev_5_ra_10_a" { benchmark "nist_800_53_rev_5_ra_10_a_1" { title = "RA-10(a)(1)" - description = "a. Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems; and 2. Detect, track, and disrupt threats that evade existings;" + description = "a. Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems; and 2. Detect, track, and disrupt threats that evade existings." children = [ - control.guardduty_enabled, + control.guardduty_enabled ] tags = merge(local.nist_800_53_rev_5_common_tags, { @@ -171,9 +171,9 @@ benchmark "nist_800_53_rev_5_ra_10_a_1" { benchmark "nist_800_53_rev_5_ra_10_a_2" { title = "RA-10(a)(2)" - description = "a. Establish and maintain a cyber threat hunting capability to: 2. Detect, track, and disrupt threats that evade existings;" + description = "a. Establish and maintain a cyber threat hunting capability to: 2. Detect, track, and disrupt threats that evade existings." children = [ - control.guardduty_enabled, + control.guardduty_enabled ] tags = merge(local.nist_800_53_rev_5_common_tags, { diff --git a/nist_800_53_rev_5/sa.sp b/nist_800_53_rev_5/sa.sp index 95fe6760..3c0554d7 100644 --- a/nist_800_53_rev_5/sa.sp +++ b/nist_800_53_rev_5/sa.sp @@ -96,7 +96,7 @@ benchmark "nist_800_53_rev_5_sa_15" { benchmark "nist_800_53_rev_5_sa_15_a_4" { title = "SA-15(a)(4)" - description = "a. Require the developer of the system, system component, or system service to follow a documented development process that: 4. Documents, manages, and ensures the integrity of changes to the process and/or tools used in development;" + description = "a. Require the developer of the system, system component, or system service to follow a documented development process that: 4. Documents, manages, and ensures the integrity of changes to the process and/or tools used in development." children = [ control.elb_application_lb_deletion_protection_enabled, control.rds_db_instance_deletion_protection_enabled diff --git a/nist_800_53_rev_5/sc.sp b/nist_800_53_rev_5/sc.sp index e9acac18..6cd34136 100644 --- a/nist_800_53_rev_5/sc.sp +++ b/nist_800_53_rev_5/sc.sp @@ -28,7 +28,7 @@ benchmark "nist_800_53_rev_5_sc_5" { benchmark.nist_800_53_rev_5_sc_5_2, benchmark.nist_800_53_rev_5_sc_5_3, benchmark.nist_800_53_rev_5_sc_5_a, - benchmark.nist_800_53_rev_5_sc_5_b, + benchmark.nist_800_53_rev_5_sc_5_b ] tags = local.nist_800_53_rev_5_common_tags @@ -67,7 +67,7 @@ benchmark "nist_800_53_rev_5_sc_5_2" { control.redshift_cluster_maintenance_settings_check, control.s3_bucket_cross_region_replication_enabled, control.s3_bucket_versioning_enabled, - control.vpc_vpn_tunnel_up, + control.vpc_vpn_tunnel_up ] tags = local.nist_800_53_rev_5_common_tags @@ -88,7 +88,7 @@ benchmark "nist_800_53_rev_5_sc_5_3" { benchmark "nist_800_53_rev_5_sc_5_a" { title = "SC-5(a)" - description = "a. [Selection: Protect against; Limit] the effects of the following types of denial-of-service events: [Assignment: organization-defined types of denial-of-service events];" + description = "a. [Selection: Protect against; Limit] the effects of the following types of denial-of-service events: [Assignment: organization-defined types of denial-of-service events]." children = [ control.guardduty_enabled ] @@ -112,7 +112,7 @@ benchmark "nist_800_53_rev_5_sc_5_b" { benchmark "nist_800_53_rev_5_sc_5_3_a" { title = "SC-5(3)(a)" - description = "(a) Employ the following monitoring tools to detect indicators of denial-of-service attacks against, or launched from, the system: [Assignment: organization-defined monitoring tools];" + description = "(a) Employ the following monitoring tools to detect indicators of denial-of-service attacks against, or launched from, the system: [Assignment: organization-defined monitoring tools]." children = [ control.guardduty_enabled ] @@ -244,7 +244,7 @@ benchmark "nist_800_53_rev_5_sc_7_4" { benchmark "nist_800_53_rev_5_sc_7_4_b" { title = "SC-7(4)(b)" - description = "(b) Establish a traffic flow policy for each managed interface;" + description = "(b) Establish a traffic flow policy for each managed interface." children = [ control.apigateway_rest_api_stage_use_ssl_certificate, control.elb_application_lb_redirect_http_request_to_https, @@ -260,7 +260,7 @@ benchmark "nist_800_53_rev_5_sc_7_4_b" { benchmark "nist_800_53_rev_5_sc_7_4_g" { title = "SC-7(4)(g)" - description = "(g) Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks;" + description = "(g) Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks." children = [ control.apigateway_rest_api_stage_use_ssl_certificate, control.elb_application_lb_redirect_http_request_to_https, @@ -311,7 +311,7 @@ benchmark "nist_800_53_rev_5_sc_7_7" { control.vpc_security_group_restrict_ingress_common_ports_all, control.vpc_security_group_restrict_ingress_ssh_all, control.vpc_security_group_restrict_ingress_tcp_udp_all, - control.vpc_subnet_auto_assign_public_ip_disabled, + control.vpc_subnet_auto_assign_public_ip_disabled ] tags = local.nist_800_53_rev_5_common_tags @@ -330,7 +330,7 @@ benchmark "nist_800_53_rev_5_sc_7_9" { benchmark "nist_800_53_rev_5_sc_7_9_a" { title = "SC-7(9)(a)" - description = "(a) Detect and deny outgoing communications traffic posing a threat to external systems;" + description = "(a) Detect and deny outgoing communications traffic posing a threat to external systems." children = [ control.dms_replication_instance_not_publicly_accessible, control.ebs_snapshot_not_publicly_restorable, @@ -348,7 +348,7 @@ benchmark "nist_800_53_rev_5_sc_7_9_a" { control.s3_public_access_block_account, control.s3_public_access_block_bucket, control.sagemaker_notebook_instance_direct_internet_access_disabled, - control.vpc_subnet_auto_assign_public_ip_disabled, + control.vpc_subnet_auto_assign_public_ip_disabled ] tags = local.nist_800_53_rev_5_common_tags @@ -531,7 +531,7 @@ benchmark "nist_800_53_rev_5_sc_7_24" { benchmark "nist_800_53_rev_5_sc_7_24_b" { title = "SC-7(24)(b)" - description = "For systems that process personally identifiable information: (b) Monitor for permitted processing at the external interfaces to the system and at key internal boundaries within the system;" + description = "For systems that process personally identifiable information: (b) Monitor for permitted processing at the external interfaces to the system and at key internal boundaries within the system." children = [ control.dms_replication_instance_not_publicly_accessible, control.ebs_snapshot_not_publicly_restorable, @@ -631,7 +631,7 @@ benchmark "nist_800_53_rev_5_sc_7_27" { control.vpc_default_security_group_restricts_all_traffic, control.vpc_security_group_restrict_ingress_common_ports_all, control.vpc_security_group_restrict_ingress_ssh_all, - control.vpc_subnet_auto_assign_public_ip_disabled, + control.vpc_subnet_auto_assign_public_ip_disabled ] tags = local.nist_800_53_rev_5_common_tags @@ -665,7 +665,7 @@ benchmark "nist_800_53_rev_5_sc_7_28" { benchmark "nist_800_53_rev_5_sc_7_a" { title = "SC-7(a)" - description = "a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system;" + description = "a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system." children = [ control.dms_replication_instance_not_publicly_accessible, control.ebs_snapshot_not_publicly_restorable, @@ -695,7 +695,7 @@ benchmark "nist_800_53_rev_5_sc_7_a" { benchmark "nist_800_53_rev_5_sc_7_b" { title = "SC-7(b)" - description = "b. Implement subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks;" + description = "b. Implement subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks." children = [ control.dms_replication_instance_not_publicly_accessible, control.ebs_snapshot_not_publicly_restorable, @@ -941,7 +941,7 @@ benchmark "nist_800_53_rev_5_sc_13" { benchmark "nist_800_53_rev_5_sc_13_a" { title = "SC-13(a)" - description = "a. Determine the [Assignment: organization-defined cryptographic uses];" + description = "a. Determine the [Assignment: organization-defined cryptographic uses]." children = [ control.apigateway_rest_api_stage_use_ssl_certificate, control.apigateway_stage_cache_encryption_at_rest_enabled, @@ -967,7 +967,7 @@ benchmark "nist_800_53_rev_5_sc_13_a" { control.sagemaker_endpoint_configuration_encryption_at_rest_enabled, control.sagemaker_notebook_instance_encryption_at_rest_enabled, control.secretsmanager_secret_encrypted_with_kms_cmk, - control.sns_topic_encrypted_at_rest, + control.sns_topic_encrypted_at_rest ] tags = local.nist_800_53_rev_5_common_tags @@ -1090,7 +1090,7 @@ benchmark "nist_800_53_rev_5_sc_25" { control.s3_public_access_block_account, control.s3_public_access_block_bucket, control.sagemaker_notebook_instance_direct_internet_access_disabled, - control.vpc_subnet_auto_assign_public_ip_disabled, + control.vpc_subnet_auto_assign_public_ip_disabled ] tags = local.nist_800_53_rev_5_common_tags @@ -1128,7 +1128,7 @@ benchmark "nist_800_53_rev_5_sc_28_1" { control.sagemaker_endpoint_configuration_encryption_at_rest_enabled, control.sagemaker_notebook_instance_encryption_at_rest_enabled, control.secretsmanager_secret_encrypted_with_kms_cmk, - control.sns_topic_encrypted_at_rest, + control.sns_topic_encrypted_at_rest ] tags = local.nist_800_53_rev_5_common_tags @@ -1162,7 +1162,7 @@ benchmark "nist_800_53_rev_5_sc_36" { benchmark "nist_800_53_rev_5_sc_36_1_a" { title = "SC-36(1)(a)" - description = "(a) Employ polling techniques to identify potential faults, errors, or compromises to the following processing and storage components: [Assignment: organization-defined distributed processing and storage components];" + description = "(a) Employ polling techniques to identify potential faults, errors, or compromises to the following processing and storage components: [Assignment: organization-defined distributed processing and storage components]." children = [ control.autoscaling_group_with_lb_use_health_check, control.cloudwatch_alarm_action_enabled, diff --git a/nist_800_53_rev_5/si.sp b/nist_800_53_rev_5/si.sp index bfe5a0e5..a0ddcd8c 100644 --- a/nist_800_53_rev_5/si.sp +++ b/nist_800_53_rev_5/si.sp @@ -23,7 +23,7 @@ benchmark "nist_800_53_rev_5_si_1" { children = [ benchmark.nist_800_53_rev_5_si_1_1_c, benchmark.nist_800_53_rev_5_si_1_a_2, - benchmark.nist_800_53_rev_5_si_1_c_2, + benchmark.nist_800_53_rev_5_si_1_c_2 ] tags = local.nist_800_53_rev_5_common_tags @@ -89,7 +89,7 @@ benchmark "nist_800_53_rev_5_si_2" { benchmark.nist_800_53_rev_5_si_2_5, benchmark.nist_800_53_rev_5_si_2_a, benchmark.nist_800_53_rev_5_si_2_c, - benchmark.nist_800_53_rev_5_si_2_d, + benchmark.nist_800_53_rev_5_si_2_d ] tags = local.nist_800_53_rev_5_common_tags @@ -101,7 +101,7 @@ benchmark "nist_800_53_rev_5_si_2_5" { children = [ control.elastic_beanstalk_enhanced_health_reporting_enabled, control.redshift_cluster_maintenance_settings_check, - control.ssm_managed_instance_compliance_patch_compliant, + control.ssm_managed_instance_compliance_patch_compliant ] tags = local.nist_800_53_rev_5_common_tags @@ -113,7 +113,7 @@ benchmark "nist_800_53_rev_5_si_2_2" { children = [ control.elastic_beanstalk_enhanced_health_reporting_enabled, control.redshift_cluster_maintenance_settings_check, - control.ssm_managed_instance_compliance_patch_compliant, + control.ssm_managed_instance_compliance_patch_compliant ] tags = local.nist_800_53_rev_5_common_tags @@ -121,13 +121,13 @@ benchmark "nist_800_53_rev_5_si_2_2" { benchmark "nist_800_53_rev_5_si_2_a" { title = "SI-2(a)" - description = "a. Identify, report, and correct system flaws;" + description = "Identify, report, and correct system flaws." children = [ control.autoscaling_group_with_lb_use_health_check, control.cloudwatch_alarm_action_enabled, control.elastic_beanstalk_enhanced_health_reporting_enabled, control.lambda_function_dead_letter_queue_configured, - control.rds_db_instance_and_cluster_enhanced_monitoring_enabled, + control.rds_db_instance_and_cluster_enhanced_monitoring_enabled ] tags = local.nist_800_53_rev_5_common_tags @@ -135,11 +135,11 @@ benchmark "nist_800_53_rev_5_si_2_a" { benchmark "nist_800_53_rev_5_si_2_c" { title = "SI-2(c)" - description = "c. Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates;" + description = "Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates." children = [ control.elastic_beanstalk_enhanced_health_reporting_enabled, control.redshift_cluster_maintenance_settings_check, - control.ssm_managed_instance_compliance_patch_compliant, + control.ssm_managed_instance_compliance_patch_compliant ] tags = local.nist_800_53_rev_5_common_tags @@ -147,11 +147,11 @@ benchmark "nist_800_53_rev_5_si_2_c" { benchmark "nist_800_53_rev_5_si_2_d" { title = "SI-2(d)" - description = "d. Incorporate flaw remediation into the organizational configuration management process." + description = "Incorporate flaw remediation into the organizational configuration management process." children = [ control.elastic_beanstalk_enhanced_health_reporting_enabled, control.redshift_cluster_maintenance_settings_check, - control.ssm_managed_instance_compliance_patch_compliant, + control.ssm_managed_instance_compliance_patch_compliant ] tags = local.nist_800_53_rev_5_common_tags @@ -170,7 +170,7 @@ benchmark "nist_800_53_rev_5_si_3" { benchmark "nist_800_53_rev_5_si_3_c_2" { title = "SI-3(c)(2)" - description = "c. Configure malicious code protection mechanisms to: 2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization-defined personnel or roles] in response to malicious code detection;" + description = "c. Configure malicious code protection mechanisms to: 2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization-defined personnel or roles] in response to malicious code detection." children = [ control.ec2_instance_ssm_managed, control.ssm_managed_instance_compliance_association_compliant, @@ -193,9 +193,9 @@ benchmark "nist_800_53_rev_5_si_3_8" { benchmark "nist_800_53_rev_5_si_3_8_a" { title = "SI-3(8)(a)" - description = "(a) Detect the following unauthorized operating system commands through the kernel application programming interface on [Assignment: organization-defined system hardware components]: [Assignment: organization-defined unauthorized operating system commands];" + description = "(a) Detect the following unauthorized operating system commands through the kernel application programming interface on [Assignment: organization-defined system hardware components]: [Assignment: organization-defined unauthorized operating system commands]." children = [ - control.guardduty_enabled, + control.guardduty_enabled ] tags = local.nist_800_53_rev_5_common_tags @@ -236,7 +236,7 @@ benchmark "nist_800_53_rev_5_si_4" { benchmark.nist_800_53_rev_5_si_4_a, benchmark.nist_800_53_rev_5_si_4_b, benchmark.nist_800_53_rev_5_si_4_c, - benchmark.nist_800_53_rev_5_si_4_d, + benchmark.nist_800_53_rev_5_si_4_d ] tags = local.nist_800_53_rev_5_common_tags @@ -244,7 +244,7 @@ benchmark "nist_800_53_rev_5_si_4" { benchmark "nist_800_53_rev_5_si_4_a" { title = "SI-4(a)" - description = "a. Monitor the system to detect: 1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections;" + description = "a. Monitor the system to detect: 1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections." children = [ benchmark.nist_800_53_rev_5_si_4_a_1, benchmark.nist_800_53_rev_5_si_4_a_2, @@ -258,9 +258,9 @@ benchmark "nist_800_53_rev_5_si_4_a" { benchmark "nist_800_53_rev_5_si_4_a_1" { title = "SI-4(a)(1)" - description = "a. Monitor the system to detect: 1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections;" + description = "a. Monitor the system to detect: 1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections." children = [ - control.guardduty_enabled, + control.guardduty_enabled ] tags = merge(local.nist_800_53_rev_5_common_tags, { @@ -270,7 +270,7 @@ benchmark "nist_800_53_rev_5_si_4_a_1" { benchmark "nist_800_53_rev_5_si_4_a_2" { title = "SI-4(a)(2)" - description = "a. Monitor the system to detect: 2. Unauthorized local, network, and remote connections;" + description = "a. Monitor the system to detect: 2. Unauthorized local, network, and remote connections." children = [ control.guardduty_enabled ] @@ -282,7 +282,7 @@ benchmark "nist_800_53_rev_5_si_4_a_2" { benchmark "nist_800_53_rev_5_si_4_b" { title = "SI-4(b)" - description = "b. Identify unauthorized use of the system through the following techniques and methods: [Assignment: organization-defined techniques and methods];" + description = "b. Identify unauthorized use of the system through the following techniques and methods: [Assignment: organization-defined techniques and methods]." children = [ control.guardduty_enabled ] @@ -294,9 +294,9 @@ benchmark "nist_800_53_rev_5_si_4_b" { benchmark "nist_800_53_rev_5_si_4_c" { title = "SI-4(c)" - description = "c. Invoke internal monitoring capabilities or deploy monitoring devices: 1. Strategically within the system to collect organization-determined essential information; and 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization;" + description = "c. Invoke internal monitoring capabilities or deploy monitoring devices: 1. Strategically within the system to collect organization-determined essential information; and 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization." children = [ - control.guardduty_enabled, + control.guardduty_enabled ] tags = merge(local.nist_800_53_rev_5_common_tags, { @@ -306,9 +306,9 @@ benchmark "nist_800_53_rev_5_si_4_c" { benchmark "nist_800_53_rev_5_si_4_d" { title = "SI-4(d)" - description = "d. Analyze detected events and anomalies;" + description = "d. Analyze detected events and anomalies." children = [ - control.cloudtrail_trail_validation_enabled, + control.cloudtrail_trail_validation_enabled ] tags = merge(local.nist_800_53_rev_5_common_tags, { @@ -339,7 +339,7 @@ benchmark "nist_800_53_rev_5_si_4_2" { control.guardduty_enabled, control.rds_db_instance_logging_enabled, control.redshift_cluster_encryption_logging_enabled, - control.s3_bucket_logging_enabled, + control.s3_bucket_logging_enabled ] tags = local.nist_800_53_rev_5_common_tags @@ -349,7 +349,7 @@ benchmark "nist_800_53_rev_5_si_4_3" { title = "SI-4(3) Automated Tools And Mechanism Integration" description = "Employ automated tools and mechanisms to integrate intrusion detection tools and mechanisms into access control and flow control mechanisms." children = [ - control.guardduty_enabled, + control.guardduty_enabled ] tags = merge(local.nist_800_53_rev_5_common_tags, { @@ -370,9 +370,9 @@ benchmark "nist_800_53_rev_5_si_4_4" { benchmark "nist_800_53_rev_5_si_4_4_a" { title = "SI-4(4)(a)" - description = "(a) Determine criteria for unusual or unauthorized activities or conditions for inbound and outbound communications traffic;" + description = "(a) Determine criteria for unusual or unauthorized activities or conditions for inbound and outbound communications traffic." children = [ - control.guardduty_enabled, + control.guardduty_enabled ] tags = merge(local.nist_800_53_rev_5_common_tags, { @@ -408,7 +408,7 @@ benchmark "nist_800_53_rev_5_si_4_12" { title = "SI-4(12) Automated Organization-Generated Alerts" description = "Alert [Assignment: organization-defined personnel or roles] using [Assignment: organization-defined automated mechanisms] when the following indications of inappropriate or unusual activities with security or privacy implications occur: [Assignment: organization-defined activities that trigger alerts]." children = [ - control.cloudwatch_alarm_action_enabled, + control.cloudwatch_alarm_action_enabled ] tags = merge(local.nist_800_53_rev_5_common_tags, { @@ -420,7 +420,7 @@ benchmark "nist_800_53_rev_5_si_4_13" { title = "SI-4(13) Analyze Traffic And Event Patterns" description = "a. Analyze communications traffic and event patterns for the system; b. Develop profiles representing common traffic and event patterns; and c. Use the traffic and event profiles in tuning system-monitoring devices." children = [ - benchmark.nist_800_53_rev_5_si_4_13_a, + benchmark.nist_800_53_rev_5_si_4_13_a ] tags = local.nist_800_53_rev_5_common_tags @@ -428,9 +428,9 @@ benchmark "nist_800_53_rev_5_si_4_13" { benchmark "nist_800_53_rev_5_si_4_13_a" { title = "SI-4(13)(a)" - description = "(a) Analyze communications traffic and event patterns for the system;" + description = "(a) Analyze communications traffic and event patterns for the system." children = [ - control.guardduty_enabled, + control.guardduty_enabled ] tags = local.nist_800_53_rev_5_common_tags @@ -440,7 +440,7 @@ benchmark "nist_800_53_rev_5_si_4_14" { title = "SI-4(14) Wireless Intrusion Detection" description = "Employ a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises or breaches to the system." children = [ - control.guardduty_enabled, + control.guardduty_enabled ] tags = merge(local.nist_800_53_rev_5_common_tags, { @@ -531,7 +531,7 @@ benchmark "nist_800_53_rev_5_si_5_1" { benchmark "nist_800_53_rev_5_si_5_b" { title = "SI-5(b)" - description = "b. Generate internal security alerts, advisories, and directives as deemed necessary;" + description = "b. Generate internal security alerts, advisories, and directives as deemed necessary." children = [ control.cloudwatch_alarm_action_enabled, control.guardduty_enabled @@ -558,7 +558,7 @@ benchmark "nist_800_53_rev_5_si_7_1" { title = "SI-7(1) Integrity Checks" description = "Perform an integrity check of [Assignment: organization-defined software, firmware, and information] [Selection (one or more): at startup; at [Assignment: organization-defined transitional states or security-relevant events]; [Assignment: organization-defined frequency]]." children = [ - control.cloudtrail_trail_validation_enabled, + control.cloudtrail_trail_validation_enabled ] tags = merge(local.nist_800_53_rev_5_common_tags, { @@ -570,7 +570,7 @@ benchmark "nist_800_53_rev_5_si_7_3" { title = "SI-7(3) Centrally Managed Integrity Tools" description = "Employ centrally managed integrity verification tools." children = [ - control.cloudtrail_trail_validation_enabled, + control.cloudtrail_trail_validation_enabled ] tags = merge(local.nist_800_53_rev_5_common_tags, { @@ -582,7 +582,7 @@ benchmark "nist_800_53_rev_5_si_7_7" { title = "SI-7(7) Integration Of Detection And Response" description = "Incorporate the detection of the following unauthorized changes into the organizational incident response capability: [Assignment: organization-defined security-relevant changes to the system]." children = [ - control.cloudtrail_trail_validation_enabled, + control.cloudtrail_trail_validation_enabled ] tags = merge(local.nist_800_53_rev_5_common_tags, { @@ -612,9 +612,9 @@ benchmark "nist_800_53_rev_5_si_7_8" { benchmark "nist_800_53_rev_5_si_7_a" { title = "SI-7(a)" - description = "a. Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: [Assignment: organization-defined software, firmware, and information];" + description = "a. Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: [Assignment: organization-defined software, firmware, and information]." children = [ - control.cloudtrail_trail_validation_enabled, + control.cloudtrail_trail_validation_enabled ] tags = merge(local.nist_800_53_rev_5_common_tags, { service = "AWS/CloudTrail" @@ -625,7 +625,7 @@ benchmark "nist_800_53_rev_5_si_10" { title = "Information Input Validation (SI-10)" description = "Check the validity of the following information inputs: [Assignment: organization-defined information inputs to the system]." children = [ - benchmark.nist_800_53_rev_5_si_10_1, + benchmark.nist_800_53_rev_5_si_10_1 ] tags = local.nist_800_53_rev_5_common_tags @@ -635,7 +635,7 @@ benchmark "nist_800_53_rev_5_si_10_1" { title = "SI-10(1) Manual Override Capability" description = "a. Provide a manual override capability for input validation of the following information inputs: [Assignment: organization-defined inputs defined in the base control (SI-10)]; b. Restrict the use of the manual override capability to only [Assignment: organization-defined authorized individuals]; and c. Audit the use of the manual override capability." children = [ - benchmark.nist_800_53_rev_5_si_10_1_c, + benchmark.nist_800_53_rev_5_si_10_1_c ] tags = local.nist_800_53_rev_5_common_tags @@ -661,7 +661,7 @@ benchmark "nist_800_53_rev_5_si_12" { title = "Information Management and Retention (SI-12)" description = "Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements." children = [ - control.cloudwatch_log_group_retention_period_365, + control.cloudwatch_log_group_retention_period_365 ] tags = merge(local.nist_800_53_rev_5_common_tags, { From 8bca3ee98527edb20ba110054a324b4fb7bc2089 Mon Sep 17 00:00:00 2001 From: misraved Date: Thu, 2 Jun 2022 01:34:08 +0530 Subject: [PATCH 17/20] Update description of controls --- nist_800_53_rev_5/cm.sp | 38 +++++++++++++++++++------------------- nist_800_53_rev_5/cp.sp | 8 ++++---- 2 files changed, 23 insertions(+), 23 deletions(-) diff --git a/nist_800_53_rev_5/cm.sp b/nist_800_53_rev_5/cm.sp index e328af94..85ae02a4 100644 --- a/nist_800_53_rev_5/cm.sp +++ b/nist_800_53_rev_5/cm.sp @@ -29,7 +29,7 @@ benchmark "nist_800_53_rev_5_cm_2" { benchmark "nist_800_53_rev_5_cm_2_a" { title = "CM-2(a)" - description = "a. Develop, document, and maintain under configuration control, a current baseline configuration of the system." + description = "Develop, document, and maintain under configuration control, a current baseline configuration of the system." children = [ control.ebs_volume_unsued, control.ec2_instance_ssm_managed, @@ -44,7 +44,7 @@ benchmark "nist_800_53_rev_5_cm_2_a" { benchmark "nist_800_53_rev_5_cm_2_b" { title = "CM-2(b)" - description = "b. Review and update the baseline configuration of the system: 1. [Assignment: organization-defined frequency]; 2. When required due to [Assignment: organization-defined circumstances]; and 3. When system components are installed or upgraded." + description = "Review and update the baseline configuration of the system: 1. [Assignment: organization-defined frequency]; 2. When required due to [Assignment: organization-defined circumstances]; and 3. When system components are installed or upgraded." children = [ benchmark.nist_800_53_rev_5_cm_2_b_1, benchmark.nist_800_53_rev_5_cm_2_b_2, @@ -62,7 +62,7 @@ benchmark "nist_800_53_rev_5_cm_2_b" { benchmark "nist_800_53_rev_5_cm_2_b_1" { title = "CM-2(b)(1)" - description = "b. Review and update the baseline configuration of the system: 1. [Assignment: organization-defined frequency]." + description = "Review and update the baseline configuration of the system: 1. [Assignment: organization-defined frequency]." children = [ control.account_part_of_organizations, control.ebs_volume_unsued, @@ -77,7 +77,7 @@ benchmark "nist_800_53_rev_5_cm_2_b_1" { benchmark "nist_800_53_rev_5_cm_2_b_2" { title = "CM-2(b)(2)" - description = "b. Review and update the baseline configuration of the system: 2. When required due to [Assignment: organization-defined circumstances]." + description = "Review and update the baseline configuration of the system: 2. When required due to [Assignment: organization-defined circumstances]." children = [ control.account_part_of_organizations, control.ebs_volume_unsued, @@ -92,7 +92,7 @@ benchmark "nist_800_53_rev_5_cm_2_b_2" { benchmark "nist_800_53_rev_5_cm_2_b_3" { title = "CM-2(b)(3)" - description = "b. Review and update the baseline configuration of the system: 3 When system components are installed or upgraded." + description = "Review and update the baseline configuration of the system: 3 When system components are installed or upgraded." children = [ control.account_part_of_organizations, control.ebs_volume_unsued, @@ -133,7 +133,7 @@ benchmark "nist_800_53_rev_5_cm_3" { benchmark "nist_800_53_rev_5_cm_3_a" { title = "CM-3(a)" - description = "a. Determine and document the types of changes to the system that are configuration-controlled." + description = "Determine and document the types of changes to the system that are configuration-controlled." children = [ control.elb_application_lb_deletion_protection_enabled, control.rds_db_instance_deletion_protection_enabled @@ -180,7 +180,7 @@ benchmark "nist_800_53_rev_5_cm_5_1" { benchmark "nist_800_53_rev_5_cm_5_1_a" { title = "CM-5(1)(a)" - description = "(a) Enforce access restrictions using [Assignment: organization-defined automated mechanisms]." + description = "Enforce access restrictions using [Assignment: organization-defined automated mechanisms]." children = [ control.ec2_instance_iam_profile_attached, control.ec2_instance_uses_imdsv2, @@ -207,7 +207,7 @@ benchmark "nist_800_53_rev_5_cm_5_1_a" { benchmark "nist_800_53_rev_5_cm_5_1_b" { title = "CM-5(1)(b)" - description = "(b) Automatically generate audit records of the enforcement actions." + description = "Automatically generate audit records of the enforcement actions." children = [ control.apigateway_stage_logging_enabled, control.cloudtrail_multi_region_trail_enabled, @@ -239,7 +239,7 @@ benchmark "nist_800_53_rev_5_cm_6" { benchmark "nist_800_53_rev_5_cm_6_a" { title = "CM-6(a)" - description = "a. Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: organization-defined common secure configurations]." + description = "Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: organization-defined common secure configurations]." children = [ control.account_part_of_organizations, control.autoscaling_group_with_lb_use_health_check, @@ -291,7 +291,7 @@ benchmark "nist_800_53_rev_5_cm_7" { benchmark "nist_800_53_rev_5_cm_7_b" { title = "CM-7(b)" - description = "b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services]." + description = "Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services]." children = [ control.vpc_route_table_restrict_public_access_to_igw, control.vpc_security_group_restrict_ingress_common_ports_all @@ -317,7 +317,7 @@ benchmark "nist_800_53_rev_5_cm_8" { benchmark "nist_800_53_rev_5_cm_8_a" { title = "CM-8(a)" - description = "a. Develop and document an inventory of system components that: 1. Accurately reflects the system; 2. Includes all components within the system; 3. Does not include duplicate accounting of components or components assigned to any other system; 4. Is at the level of granularity deemed necessary for tracking and reporting; and 5. Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability]." + description = "Develop and document an inventory of system components that: 1. Accurately reflects the system; 2. Includes all components within the system; 3. Does not include duplicate accounting of components or components assigned to any other system; 4. Is at the level of granularity deemed necessary for tracking and reporting; and 5. Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability]." children = [ benchmark.nist_800_53_rev_5_cm_8_a_1, benchmark.nist_800_53_rev_5_cm_8_a_2, @@ -333,7 +333,7 @@ benchmark "nist_800_53_rev_5_cm_8_a" { benchmark "nist_800_53_rev_5_cm_8_a_1" { title = "CM-8(a)(1)" - description = "a. Develop and document an inventory of system components that: 1. Accurately reflects the system." + description = "Develop and document an inventory of system components that: 1. Accurately reflects the system." children = [ control.ec2_instance_ssm_managed, control.ssm_managed_instance_compliance_association_compliant @@ -344,7 +344,7 @@ benchmark "nist_800_53_rev_5_cm_8_a_1" { benchmark "nist_800_53_rev_5_cm_8_a_2" { title = "CM-8(a)(2)" - description = "a. Develop and document an inventory of system components that: 2. Includes all components within the system." + description = "Develop and document an inventory of system components that: 2. Includes all components within the system." children = [ control.ec2_instance_ssm_managed, control.ssm_managed_instance_compliance_association_compliant @@ -355,7 +355,7 @@ benchmark "nist_800_53_rev_5_cm_8_a_2" { benchmark "nist_800_53_rev_5_cm_8_a_3" { title = "CM-8(a)(3)" - description = "a. Develop and document an inventory of system components that: 3. Does not include duplicate accounting of components or components assigned to any other system." + description = "Develop and document an inventory of system components that: 3. Does not include duplicate accounting of components or components assigned to any other system." children = [ control.ec2_instance_ssm_managed, control.ssm_managed_instance_compliance_association_compliant @@ -366,7 +366,7 @@ benchmark "nist_800_53_rev_5_cm_8_a_3" { benchmark "nist_800_53_rev_5_cm_8_a_4" { title = "CM-8(a)(4)" - description = "a. Develop and document an inventory of system components that: 4. Is at the level of granularity deemed necessary for tracking and reporting." + description = "Develop and document an inventory of system components that: 4. Is at the level of granularity deemed necessary for tracking and reporting." children = [ control.ec2_instance_ssm_managed, control.ssm_managed_instance_compliance_association_compliant @@ -377,7 +377,7 @@ benchmark "nist_800_53_rev_5_cm_8_a_4" { benchmark "nist_800_53_rev_5_cm_8_a_5" { title = "CM-8(a)(5)" - description = "a. Develop and document an inventory of system components that: 5. Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability]." + description = "Develop and document an inventory of system components that: 5. Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability]." children = [ control.ec2_instance_ssm_managed, control.ssm_managed_instance_compliance_association_compliant, @@ -388,7 +388,7 @@ benchmark "nist_800_53_rev_5_cm_8_a_5" { benchmark "nist_800_53_rev_5_cm_8_b" { title = "CM-8(b)" - description = "b. Review and update the system component inventory [Assignment: organization-defined frequency]." + description = "Review and update the system component inventory [Assignment: organization-defined frequency]." children = [ control.ec2_instance_ssm_managed, control.ssm_managed_instance_compliance_association_compliant @@ -430,7 +430,7 @@ benchmark "nist_800_53_rev_5_cm_8_3" { benchmark "nist_800_53_rev_5_cm_8_3_a" { title = "CM-8(3)(a)" - description = "(a) Detect the presence of unauthorized hardware, software, and firmware components within the system using [Assignment: organization-defined automated mechanisms] [Assignment: organization-defined frequency]." + description = "Detect the presence of unauthorized hardware, software, and firmware components within the system using [Assignment: organization-defined automated mechanisms] [Assignment: organization-defined frequency]." children = [ control.ec2_instance_ssm_managed, control.guardduty_enabled, @@ -519,7 +519,7 @@ benchmark "nist_800_53_rev_5_cm_12" { benchmark "nist_800_53_rev_5_cm_12_b" { title = "CM-12(b)" - description = "b. Identify and document the users who have access to the system and system components where the information is processed and stored." + description = "Identify and document the users who have access to the system and system components where the information is processed and stored." children = [ control.iam_account_password_policy_min_length_14 ] diff --git a/nist_800_53_rev_5/cp.sp b/nist_800_53_rev_5/cp.sp index 9396b346..d9c97436 100644 --- a/nist_800_53_rev_5/cp.sp +++ b/nist_800_53_rev_5/cp.sp @@ -300,7 +300,7 @@ benchmark "nist_800_53_rev_5_cp_9" { benchmark "nist_800_53_rev_5_cp_9_a" { title = "CP-9(a)" - description = "a. Conduct backups of user-level information contained in [Assignment: organization-defined system components] [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]." + description = "Conduct backups of user-level information contained in [Assignment: organization-defined system components] [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]." children = [ control.dynamodb_table_in_backup_plan, control.dynamodb_table_point_in_time_recovery_enabled, @@ -321,7 +321,7 @@ benchmark "nist_800_53_rev_5_cp_9_a" { benchmark "nist_800_53_rev_5_cp_9_b" { title = "CP-9(b)" - description = "b. Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]." + description = "Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]." children = [ control.dynamodb_table_in_backup_plan, control.dynamodb_table_point_in_time_recovery_enabled, @@ -342,7 +342,7 @@ benchmark "nist_800_53_rev_5_cp_9_b" { benchmark "nist_800_53_rev_5_cp_9_c" { title = "CP-9(c)" - description = "c. Conduct backups of system documentation, including security- and privacy-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]." + description = "Conduct backups of system documentation, including security- and privacy-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]." children = [ control.dynamodb_table_in_backup_plan, control.ebs_volume_in_backup_plan, @@ -363,7 +363,7 @@ benchmark "nist_800_53_rev_5_cp_9_c" { benchmark "nist_800_53_rev_5_cp_9_d" { title = "CP-9(d)" - description = "d. Protect the confidentiality, integrity, and availability of backup information." + description = "Protect the confidentiality, integrity, and availability of backup information." children = [ control.apigateway_stage_cache_encryption_at_rest_enabled, control.cloudtrail_trail_logs_encrypted_with_kms_cmk, From e6ad0f822b7e7884e8235dd0128228b10825892f Mon Sep 17 00:00:00 2001 From: Khushboo Date: Thu, 2 Jun 2022 11:58:12 +0530 Subject: [PATCH 18/20] update description --- nist_800_53_rev_5/ac.sp | 18 +++++++++--------- nist_800_53_rev_5/au.sp | 14 +++++++------- nist_800_53_rev_5/ca.sp | 4 ++-- nist_800_53_rev_5/cp.sp | 12 ++++++------ nist_800_53_rev_5/ia.sp | 8 ++++---- nist_800_53_rev_5/ir.sp | 2 +- nist_800_53_rev_5/ma.sp | 4 ++-- nist_800_53_rev_5/pm.sp | 8 ++++---- nist_800_53_rev_5/ra.sp | 10 +++++----- nist_800_53_rev_5/sc.sp | 28 ++++++++++++++-------------- nist_800_53_rev_5/si.sp | 24 ++++++++++++------------ 11 files changed, 66 insertions(+), 66 deletions(-) diff --git a/nist_800_53_rev_5/ac.sp b/nist_800_53_rev_5/ac.sp index 4041ec14..199dc831 100644 --- a/nist_800_53_rev_5/ac.sp +++ b/nist_800_53_rev_5/ac.sp @@ -184,7 +184,7 @@ benchmark "nist_800_53_rev_5_ac_2_12" { benchmark "nist_800_53_rev_5_ac_2_12_a" { title = "AC-2(12)(a)" - description = "(a) Monitor system accounts for [Assignment: organization-defined atypical usage]." + description = "Monitor system accounts for [Assignment: organization-defined atypical usage]." children = [ control.guardduty_enabled ] @@ -770,7 +770,7 @@ benchmark "nist_800_53_rev_5_ac_3_12" { benchmark "nist_800_53_rev_5_ac_3_12_a" { title = "AC-3(12)(a)" - description = "(a) Require applications to assert, as part of the installation process, the access needed to the following system applications and functions: [Assignment: organization-defined system applications and functions]." + description = "Require applications to assert, as part of the installation process, the access needed to the following system applications and functions: [Assignment: organization-defined system applications and functions]." children = [ control.ec2_instance_uses_imdsv2, control.iam_account_password_policy_min_length_14, @@ -795,7 +795,7 @@ benchmark "nist_800_53_rev_5_ac_3_12_a" { benchmark "nist_800_53_rev_5_ac_3_12_b" { title = "AC-3(12)(b)" - description = "(b) Provide an enforcement mechanism to prevent unauthorized access;" + description = "Provide an enforcement mechanism to prevent unauthorized access;" children = [ control.guardduty_enabled ] @@ -843,7 +843,7 @@ benchmark "nist_800_53_rev_5_ac_3_15" { benchmark "nist_800_53_rev_5_ac_3_15_a" { title = "AC-3(15)(a)" - description = "(a) Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy." + description = "Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy." children = [ control.ec2_instance_uses_imdsv2, control.iam_account_password_policy_min_length_14, @@ -868,7 +868,7 @@ benchmark "nist_800_53_rev_5_ac_3_15_a" { benchmark "nist_800_53_rev_5_ac_3_15_b" { title = "AC-3(15)(b)" - description = "(b) Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy." + description = "Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy." children = [ control.ec2_instance_uses_imdsv2, control.iam_account_password_policy_min_length_14, @@ -1155,7 +1155,7 @@ benchmark "nist_800_53_rev_5_ac_7_4" { benchmark "nist_800_53_rev_5_ac_7_4_a" { title = "AC-7(4)(a)" - description = "(a) Allow the use of [Assignment: organization-defined authentication factors] that are different from the primary authentication factors after the number of organization-defined consecutive invalid logon attempts have been exceeded." + description = "Allow the use of [Assignment: organization-defined authentication factors] that are different from the primary authentication factors after the number of organization-defined consecutive invalid logon attempts have been exceeded." children = [ control.iam_account_password_policy_min_length_14, control.iam_root_user_hardware_mfa_enabled, @@ -1181,7 +1181,7 @@ benchmark "nist_800_53_rev_5_ac_16" { benchmark "nist_800_53_rev_5_ac_16_b" { title = "AC-16(b)" - description = "b. Ensure that the attribute associations are made and retained with the information." + description = "Ensure that the attribute associations are made and retained with the information." children = [ control.cloudwatch_log_group_retention_period_365 ] @@ -1208,7 +1208,7 @@ benchmark "nist_800_53_rev_5_ac_17" { benchmark "nist_800_53_rev_5_ac_17_b" { title = "AC-17(b)" - description = "b. Authorize each type of remote access to the system prior to allowing such connections." + description = "Authorize each type of remote access to the system prior to allowing such connections." children = [ control.dms_replication_instance_not_publicly_accessible, control.ebs_snapshot_not_publicly_restorable, @@ -1292,7 +1292,7 @@ benchmark "nist_800_53_rev_5_ac_17_4" { benchmark "nist_800_53_rev_5_ac_17_4_a" { title = "AC-17(4)(a)" - description = "(a) Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: [Assignment: organization-defined needs];" + description = "Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: [Assignment: organization-defined needs];" children = [ control.dms_replication_instance_not_publicly_accessible, control.ebs_snapshot_not_publicly_restorable, diff --git a/nist_800_53_rev_5/au.sp b/nist_800_53_rev_5/au.sp index 12e8587f..b44507d3 100644 --- a/nist_800_53_rev_5/au.sp +++ b/nist_800_53_rev_5/au.sp @@ -32,7 +32,7 @@ benchmark "nist_800_53_rev_5_au_2" { benchmark "nist_800_53_rev_5_au_2_b" { title = "AU-2(b)" - description = "b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged." + description = "Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged." children = [ control.apigateway_stage_logging_enabled, control.cloudtrail_multi_region_trail_enabled, @@ -373,7 +373,7 @@ benchmark "nist_800_53_rev_5_au_8" { benchmark "nist_800_53_rev_5_au_8_b" { title = "AU-8(b)" - description = "b. Record time stamps for audit records that meet [Assignment: organization-defined granularity of time measurement] and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp." + description = "Record time stamps for audit records that meet [Assignment: organization-defined granularity of time measurement] and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp." children = [ control.apigateway_stage_logging_enabled, control.cloudtrail_multi_region_trail_enabled, @@ -406,7 +406,7 @@ benchmark "nist_800_53_rev_5_au_9" { benchmark "nist_800_53_rev_5_au_9_a" { title = "AU-9(a)" - description = "a. Protect audit information and audit logging tools from unauthorized access, modification, and deletion." + description = "Protect audit information and audit logging tools from unauthorized access, modification, and deletion." children = [ control.cloudtrail_trail_validation_enabled ] @@ -534,7 +534,7 @@ benchmark "nist_800_53_rev_5_au_12" { benchmark "nist_800_53_rev_5_au_12_a" { title = "AU-12(a)" - description = "a. Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on [Assignment: organization-defined system components]." + description = "Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on [Assignment: organization-defined system components]." children = [ control.apigateway_stage_logging_enabled, control.cloudtrail_multi_region_trail_enabled, @@ -554,7 +554,7 @@ benchmark "nist_800_53_rev_5_au_12_a" { benchmark "nist_800_53_rev_5_au_12_c" { title = "AU-12(c)" - description = "c. Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3." + description = "Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3." children = [ control.apigateway_stage_logging_enabled, control.cloudtrail_multi_region_trail_enabled, @@ -677,7 +677,7 @@ benchmark "nist_800_53_rev_5_au_14" { benchmark "nist_800_53_rev_5_au_14_a" { title = "AU-14(a)" - description = "a. Provide and implement the capability for [Assignment: organization-defined users or roles] to [Selection (one or more): record; view; hear; log] the content of a user session under [Assignment: organization-defined circumstances]." + description = "Provide and implement the capability for [Assignment: organization-defined users or roles] to [Selection (one or more): record; view; hear; log] the content of a user session under [Assignment: organization-defined circumstances]." children = [ control.apigateway_stage_logging_enabled, control.autoscaling_group_with_lb_use_health_check, @@ -706,7 +706,7 @@ benchmark "nist_800_53_rev_5_au_14_a" { benchmark "nist_800_53_rev_5_au_14_b" { title = "AU-14(b)" - description = "b. Develop, integrate, and use session auditing activities in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." + description = "Develop, integrate, and use session auditing activities in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines." children = [ control.apigateway_stage_logging_enabled, control.autoscaling_group_with_lb_use_health_check, diff --git a/nist_800_53_rev_5/ca.sp b/nist_800_53_rev_5/ca.sp index 021e26af..b552e162 100644 --- a/nist_800_53_rev_5/ca.sp +++ b/nist_800_53_rev_5/ca.sp @@ -37,7 +37,7 @@ benchmark "nist_800_53_rev_5_ca_2_2" { benchmark "nist_800_53_rev_5_ca_2_d" { title = "CA-2(d)" - description = "d. Assess the controls in the system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements." + description = "Assess the controls in the system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements." children = [ control.guardduty_enabled, control.securityhub_enabled @@ -127,7 +127,7 @@ benchmark "nist_800_53_rev_5_ca_9" { benchmark "nist_800_53_rev_5_ca_9_b" { title = "CA-9(b)" - description = "b. Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated." + description = "Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated." children = [ control.apigateway_rest_api_stage_use_ssl_certificate, control.elb_application_lb_redirect_http_request_to_https, diff --git a/nist_800_53_rev_5/cp.sp b/nist_800_53_rev_5/cp.sp index d9c97436..fd048f8e 100644 --- a/nist_800_53_rev_5/cp.sp +++ b/nist_800_53_rev_5/cp.sp @@ -85,7 +85,7 @@ benchmark "nist_800_53_rev_5_cp_1_2" { benchmark "nist_800_53_rev_5_cp_2" { title = "Contingency Plan (CP-2)" - description = "to do" + description = "a. Develop a contingency plan for the system that: 1. Identifies essential mission and business functions and associated contingency requirements; 2. Provides recovery objectives, restoration priorities, and metrics; b. Distribute copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; c. Coordinate contingency planning activities with incident handling activities; d. Review the contingency plan for the system [Assignment: organization-defined frequency]; e. Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; f. Communicate contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; g. Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and h. Protect the contingency plan from unauthorized disclosure and modification." children = [ benchmark.nist_800_53_rev_5_cp_2_a, benchmark.nist_800_53_rev_5_cp_2_d, @@ -116,7 +116,7 @@ benchmark "nist_800_53_rev_5_cp_2_a" { benchmark "nist_800_53_rev_5_cp_2_a_6" { title = "CP-2(a)(6)" - description = "a. Develop a contingency plan for the system that: 6. Addresses the sharing of contingency information." + description = "Develop a contingency plan for the system that: 6. Addresses the sharing of contingency information." children = [ control.dynamodb_table_auto_scaling_enabled, control.elb_application_lb_deletion_protection_enabled, @@ -131,7 +131,7 @@ benchmark "nist_800_53_rev_5_cp_2_a_6" { benchmark "nist_800_53_rev_5_cp_2_a_7" { title = "CP-2(a)(7)" - description = "a. Develop a contingency plan for the system that: 7. Is reviewed and approved by [Assignment: organization-defined personnel or roles]." + description = "Develop a contingency plan for the system that: 7. Is reviewed and approved by [Assignment: organization-defined personnel or roles]." children = [ control.dynamodb_table_auto_scaling_enabled, control.elb_application_lb_deletion_protection_enabled, @@ -146,7 +146,7 @@ benchmark "nist_800_53_rev_5_cp_2_a_7" { benchmark "nist_800_53_rev_5_cp_2_d" { title = "CP-2(d)" - description = "d. Review the contingency plan for the system [Assignment: organization-defined frequency]" + description = "Review the contingency plan for the system [Assignment: organization-defined frequency]" children = [ control.dynamodb_table_auto_scaling_enabled, control.elb_application_lb_deletion_protection_enabled, @@ -161,7 +161,7 @@ benchmark "nist_800_53_rev_5_cp_2_d" { benchmark "nist_800_53_rev_5_cp_2_e" { title = "CP-2(e)" - description = "e. Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing." + description = "Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing." children = [ control.dynamodb_table_auto_scaling_enabled, control.elb_application_lb_deletion_protection_enabled, @@ -227,7 +227,7 @@ benchmark "nist_800_53_rev_5_cp_6" { benchmark "nist_800_53_rev_5_cp_6_a" { title = "CP-6(a)" - description = "a. Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information." + description = "Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information." children = [ control.dynamodb_table_in_backup_plan, control.ebs_volume_in_backup_plan, diff --git a/nist_800_53_rev_5/ia.sp b/nist_800_53_rev_5/ia.sp index f52b90bb..4e7c2e1c 100644 --- a/nist_800_53_rev_5/ia.sp +++ b/nist_800_53_rev_5/ia.sp @@ -127,7 +127,7 @@ benchmark "nist_800_53_rev_5_ia_3_3" { benchmark "nist_800_53_rev_5_ia_3_3_b" { title = "IA-3(3)(b)" - description = "(b) Audit lease information when assigned to a device." + description = "Audit lease information when assigned to a device." children = [ control.cloudtrail_multi_region_trail_enabled, control.wafv2_web_acl_logging_enabled, @@ -376,7 +376,7 @@ benchmark "nist_800_53_rev_5_ia_5_18" { benchmark "nist_800_53_rev_5_ia_5_18_a" { title = "IA-5(18)(a)" - description = "(a) Employ [Assignment: organization-defined password managers] to generate and manage passwords." + description = "Employ [Assignment: organization-defined password managers] to generate and manage passwords." children = [ control.iam_account_password_policy_min_length_14 ] @@ -388,7 +388,7 @@ benchmark "nist_800_53_rev_5_ia_5_18_a" { benchmark "nist_800_53_rev_5_ia_5_18_b" { title = "IA-5(18)(b)" - description = "(b) Protect the passwords using [Assignment: organization-defined controls]." + description = "Protect the passwords using [Assignment: organization-defined controls]." children = [ control.iam_account_password_policy_min_length_14 ] @@ -424,7 +424,7 @@ benchmark "nist_800_53_rev_5_ia_8_2" { benchmark "nist_800_53_rev_5_ia_8_2_b" { title = "IA-8(2)(b)" - description = "(b) Document and maintain a list of accepted external authenticators." + description = "Document and maintain a list of accepted external authenticators." children = [ control.iam_account_password_policy_min_length_14 ] diff --git a/nist_800_53_rev_5/ir.sp b/nist_800_53_rev_5/ir.sp index 89e27f76..960a2d5a 100644 --- a/nist_800_53_rev_5/ir.sp +++ b/nist_800_53_rev_5/ir.sp @@ -24,7 +24,7 @@ benchmark "nist_800_53_rev_5_ir_4" { benchmark "nist_800_53_rev_5_ir_4_a" { title = "IR-4(a)" - description = "a. Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery." + description = "Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery." children = [ control.guardduty_finding_archived ] diff --git a/nist_800_53_rev_5/ma.sp b/nist_800_53_rev_5/ma.sp index f1f11a31..a8b7b05b 100644 --- a/nist_800_53_rev_5/ma.sp +++ b/nist_800_53_rev_5/ma.sp @@ -21,7 +21,7 @@ benchmark "nist_800_53_rev_5_ma_4" { benchmark "nist_800_53_rev_5_ma_4_c" { title = "MA-4(c)" - description = "c. Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions." + description = "Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions." children = [ control.iam_account_password_policy_min_length_14 ] @@ -43,7 +43,7 @@ benchmark "nist_800_53_rev_5_ma_4_1" { benchmark "nist_800_53_rev_5_ma_4_1_a" { title = "MA-4(1)(a)" - description = "(a) Log [Assignment: organization-defined audit events] for nonlocal maintenance and diagnostic sessions." + description = "Log [Assignment: organization-defined audit events] for nonlocal maintenance and diagnostic sessions." children = [ control.apigateway_stage_logging_enabled, control.cloudtrail_multi_region_trail_enabled, diff --git a/nist_800_53_rev_5/pm.sp b/nist_800_53_rev_5/pm.sp index aaf8f77d..fa030d49 100644 --- a/nist_800_53_rev_5/pm.sp +++ b/nist_800_53_rev_5/pm.sp @@ -25,7 +25,7 @@ benchmark "nist_800_53_rev_5_pm_11" { benchmark "nist_800_53_rev_5_pm_11_b" { title = "PM-11(b)" - description = "b. Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes." + description = "Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes." children = [ control.cloudtrail_trail_validation_enabled, control.s3_bucket_default_encryption_enabled, @@ -78,7 +78,7 @@ benchmark "nist_800_53_rev_5_pm_14_a_1" { benchmark "nist_800_53_rev_5_pm_14_b" { title = "PM-14(b)" - description = "b. Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions." + description = "Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions." children = [ control.apigateway_stage_logging_enabled, control.autoscaling_group_with_lb_use_health_check, @@ -129,7 +129,7 @@ benchmark "nist_800_53_rev_5_pm_17" { benchmark "nist_800_53_rev_5_pm_17_b" { title = "PM-17(b)" - description = "b. Review and update the policy and procedures [Assignment: organization-defined frequency]." + description = "Review and update the policy and procedures [Assignment: organization-defined frequency]." children = [ control.apigateway_rest_api_stage_use_ssl_certificate, control.cloudtrail_trail_validation_enabled, @@ -159,7 +159,7 @@ benchmark "nist_800_53_rev_5_pm_21" { benchmark "nist_800_53_rev_5_pm_21_b" { title = "PM-21(b)" - description = "b. Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer." + description = "Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer." children = [ control.cloudwatch_log_group_retention_period_365 ] diff --git a/nist_800_53_rev_5/ra.sp b/nist_800_53_rev_5/ra.sp index affef152..a1eaf55c 100644 --- a/nist_800_53_rev_5/ra.sp +++ b/nist_800_53_rev_5/ra.sp @@ -25,7 +25,7 @@ benchmark "nist_800_53_rev_5_ra_1" { benchmark "nist_800_53_rev_5_ra_1_a" { title = "RA-1(a)" - description = "a. Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems; and 2. Detect, track, and disrupt threats that evade existing controls." + description = "Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems; and 2. Detect, track, and disrupt threats that evade existing controls." children = [ benchmark.nist_800_53_rev_5_ra_1_a_1, benchmark.nist_800_53_rev_5_ra_1_a_2, @@ -39,7 +39,7 @@ benchmark "nist_800_53_rev_5_ra_1_a" { benchmark "nist_800_53_rev_5_ra_1_a_1" { title = "RA-1(a)(1)" - description = "a. Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems." + description = "Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems." children = [ control.guardduty_enabled ] @@ -110,7 +110,7 @@ benchmark "nist_800_53_rev_5_ra_5" { benchmark "nist_800_53_rev_5_ra_5_a" { title = "RA-5(a)" - description = "a. Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported." + description = "Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported." children = [ control.guardduty_enabled ] @@ -145,7 +145,7 @@ benchmark "nist_800_53_rev_5_ra_10" { benchmark "nist_800_53_rev_5_ra_10_a" { title = "RA-10(a)" - description = "a. Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems; and 2. Detect, track, and disrupt threats that evade existings." + description = "Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems; and 2. Detect, track, and disrupt threats that evade existings." children = [ benchmark.nist_800_53_rev_5_ra_10_a_1, benchmark.nist_800_53_rev_5_ra_10_a_2, @@ -159,7 +159,7 @@ benchmark "nist_800_53_rev_5_ra_10_a" { benchmark "nist_800_53_rev_5_ra_10_a_1" { title = "RA-10(a)(1)" - description = "a. Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems; and 2. Detect, track, and disrupt threats that evade existings." + description = "Establish and maintain a cyber threat hunting capability to: 1. Search for indicators of compromise in organizational systems; and 2. Detect, track, and disrupt threats that evade existings." children = [ control.guardduty_enabled ] diff --git a/nist_800_53_rev_5/sc.sp b/nist_800_53_rev_5/sc.sp index 6cd34136..761fb1ca 100644 --- a/nist_800_53_rev_5/sc.sp +++ b/nist_800_53_rev_5/sc.sp @@ -88,7 +88,7 @@ benchmark "nist_800_53_rev_5_sc_5_3" { benchmark "nist_800_53_rev_5_sc_5_a" { title = "SC-5(a)" - description = "a. [Selection: Protect against; Limit] the effects of the following types of denial-of-service events: [Assignment: organization-defined types of denial-of-service events]." + description = "[Selection: Protect against; Limit] the effects of the following types of denial-of-service events: [Assignment: organization-defined types of denial-of-service events]." children = [ control.guardduty_enabled ] @@ -100,7 +100,7 @@ benchmark "nist_800_53_rev_5_sc_5_a" { benchmark "nist_800_53_rev_5_sc_5_b" { title = "SC-5(b)" - description = "b. Employ the following controls to achieve the denial-of-service objective: [Assignment: organization-defined controls by type of denial-of-service event]." + description = "Employ the following controls to achieve the denial-of-service objective: [Assignment: organization-defined controls by type of denial-of-service event]." children = [ control.guardduty_enabled ] @@ -112,7 +112,7 @@ benchmark "nist_800_53_rev_5_sc_5_b" { benchmark "nist_800_53_rev_5_sc_5_3_a" { title = "SC-5(3)(a)" - description = "(a) Employ the following monitoring tools to detect indicators of denial-of-service attacks against, or launched from, the system: [Assignment: organization-defined monitoring tools]." + description = "Employ the following monitoring tools to detect indicators of denial-of-service attacks against, or launched from, the system: [Assignment: organization-defined monitoring tools]." children = [ control.guardduty_enabled ] @@ -124,7 +124,7 @@ benchmark "nist_800_53_rev_5_sc_5_3_a" { benchmark "nist_800_53_rev_5_sc_5_3_b" { title = "SC-5(3)(b)" - description = "(b) Monitor the following system resources to determine if sufficient resources exist to prevent effective denial-of-service attacks: [Assignment: organization-defined system resources]." + description = "Monitor the following system resources to determine if sufficient resources exist to prevent effective denial-of-service attacks: [Assignment: organization-defined system resources]." children = [ control.guardduty_enabled ] @@ -244,7 +244,7 @@ benchmark "nist_800_53_rev_5_sc_7_4" { benchmark "nist_800_53_rev_5_sc_7_4_b" { title = "SC-7(4)(b)" - description = "(b) Establish a traffic flow policy for each managed interface." + description = "Establish a traffic flow policy for each managed interface." children = [ control.apigateway_rest_api_stage_use_ssl_certificate, control.elb_application_lb_redirect_http_request_to_https, @@ -260,7 +260,7 @@ benchmark "nist_800_53_rev_5_sc_7_4_b" { benchmark "nist_800_53_rev_5_sc_7_4_g" { title = "SC-7(4)(g)" - description = "(g) Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks." + description = "Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks." children = [ control.apigateway_rest_api_stage_use_ssl_certificate, control.elb_application_lb_redirect_http_request_to_https, @@ -330,7 +330,7 @@ benchmark "nist_800_53_rev_5_sc_7_9" { benchmark "nist_800_53_rev_5_sc_7_9_a" { title = "SC-7(9)(a)" - description = "(a) Detect and deny outgoing communications traffic posing a threat to external systems." + description = "Detect and deny outgoing communications traffic posing a threat to external systems." children = [ control.dms_replication_instance_not_publicly_accessible, control.ebs_snapshot_not_publicly_restorable, @@ -356,7 +356,7 @@ benchmark "nist_800_53_rev_5_sc_7_9_a" { benchmark "nist_800_53_rev_5_sc_7_9_b" { title = "SC-7(9)(b)" - description = "(b) Audit the identity of internal users associated with denied communications." + description = "Audit the identity of internal users associated with denied communications." children = [ control.apigateway_stage_logging_enabled, control.cloudtrail_multi_region_trail_enabled, @@ -665,7 +665,7 @@ benchmark "nist_800_53_rev_5_sc_7_28" { benchmark "nist_800_53_rev_5_sc_7_a" { title = "SC-7(a)" - description = "a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system." + description = "Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system." children = [ control.dms_replication_instance_not_publicly_accessible, control.ebs_snapshot_not_publicly_restorable, @@ -695,7 +695,7 @@ benchmark "nist_800_53_rev_5_sc_7_a" { benchmark "nist_800_53_rev_5_sc_7_b" { title = "SC-7(b)" - description = "b. Implement subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks." + description = "Implement subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks." children = [ control.dms_replication_instance_not_publicly_accessible, control.ebs_snapshot_not_publicly_restorable, @@ -722,7 +722,7 @@ benchmark "nist_800_53_rev_5_sc_7_b" { benchmark "nist_800_53_rev_5_sc_7_c" { title = "SC-7(c)" - description = "c. Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture." + description = "Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture." children = [ control.dms_replication_instance_not_publicly_accessible, control.ebs_snapshot_not_publicly_restorable, @@ -941,7 +941,7 @@ benchmark "nist_800_53_rev_5_sc_13" { benchmark "nist_800_53_rev_5_sc_13_a" { title = "SC-13(a)" - description = "a. Determine the [Assignment: organization-defined cryptographic uses]." + description = "Determine the [Assignment: organization-defined cryptographic uses]." children = [ control.apigateway_rest_api_stage_use_ssl_certificate, control.apigateway_stage_cache_encryption_at_rest_enabled, @@ -1162,7 +1162,7 @@ benchmark "nist_800_53_rev_5_sc_36" { benchmark "nist_800_53_rev_5_sc_36_1_a" { title = "SC-36(1)(a)" - description = "(a) Employ polling techniques to identify potential faults, errors, or compromises to the following processing and storage components: [Assignment: organization-defined distributed processing and storage components]." + description = "Employ polling techniques to identify potential faults, errors, or compromises to the following processing and storage components: [Assignment: organization-defined distributed processing and storage components]." children = [ control.autoscaling_group_with_lb_use_health_check, control.cloudwatch_alarm_action_enabled, @@ -1188,7 +1188,7 @@ benchmark "nist_800_53_rev_5_sc_43" { benchmark "nist_800_53_rev_5_sc_43_b" { title = "SC-43(b)" - description = "b. Authorize, monitor, and control the use of such components within the system." + description = "Authorize, monitor, and control the use of such components within the system." children = [ control.guardduty_enabled ] diff --git a/nist_800_53_rev_5/si.sp b/nist_800_53_rev_5/si.sp index a0ddcd8c..a1a61e22 100644 --- a/nist_800_53_rev_5/si.sp +++ b/nist_800_53_rev_5/si.sp @@ -67,7 +67,7 @@ benchmark "nist_800_53_rev_5_si_1_c_2" { benchmark "nist_800_53_rev_5_si_1_1_c" { title = "SI-1(1)(c)" - description = "c(c) Audit the use of the manual override capability." + description = "Audit the use of the manual override capability." children = [ control.cloudtrail_multi_region_trail_enabled, control.cloudtrail_s3_data_events_enabled, @@ -193,7 +193,7 @@ benchmark "nist_800_53_rev_5_si_3_8" { benchmark "nist_800_53_rev_5_si_3_8_a" { title = "SI-3(8)(a)" - description = "(a) Detect the following unauthorized operating system commands through the kernel application programming interface on [Assignment: organization-defined system hardware components]: [Assignment: organization-defined unauthorized operating system commands]." + description = "Detect the following unauthorized operating system commands through the kernel application programming interface on [Assignment: organization-defined system hardware components]: [Assignment: organization-defined unauthorized operating system commands]." children = [ control.guardduty_enabled ] @@ -203,7 +203,7 @@ benchmark "nist_800_53_rev_5_si_3_8_a" { benchmark "nist_800_53_rev_5_si_3_8_b" { title = "SI-3(8)(b)" - description = "(b) [Selection (one or more): issue a warning; audit the command execution; prevent the execution of the command]." + description = "[Selection (one or more): issue a warning; audit the command execution; prevent the execution of the command]." children = [ control.cloudtrail_multi_region_trail_enabled, control.cloudtrail_s3_data_events_enabled, @@ -244,7 +244,7 @@ benchmark "nist_800_53_rev_5_si_4" { benchmark "nist_800_53_rev_5_si_4_a" { title = "SI-4(a)" - description = "a. Monitor the system to detect: 1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections." + description = "Monitor the system to detect: 1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections." children = [ benchmark.nist_800_53_rev_5_si_4_a_1, benchmark.nist_800_53_rev_5_si_4_a_2, @@ -282,7 +282,7 @@ benchmark "nist_800_53_rev_5_si_4_a_2" { benchmark "nist_800_53_rev_5_si_4_b" { title = "SI-4(b)" - description = "b. Identify unauthorized use of the system through the following techniques and methods: [Assignment: organization-defined techniques and methods]." + description = "Identify unauthorized use of the system through the following techniques and methods: [Assignment: organization-defined techniques and methods]." children = [ control.guardduty_enabled ] @@ -306,7 +306,7 @@ benchmark "nist_800_53_rev_5_si_4_c" { benchmark "nist_800_53_rev_5_si_4_d" { title = "SI-4(d)" - description = "d. Analyze detected events and anomalies." + description = "Analyze detected events and anomalies." children = [ control.cloudtrail_trail_validation_enabled ] @@ -370,7 +370,7 @@ benchmark "nist_800_53_rev_5_si_4_4" { benchmark "nist_800_53_rev_5_si_4_4_a" { title = "SI-4(4)(a)" - description = "(a) Determine criteria for unusual or unauthorized activities or conditions for inbound and outbound communications traffic." + description = "Determine criteria for unusual or unauthorized activities or conditions for inbound and outbound communications traffic." children = [ control.guardduty_enabled ] @@ -382,7 +382,7 @@ benchmark "nist_800_53_rev_5_si_4_4_a" { benchmark "nist_800_53_rev_5_si_4_4_b" { title = "SI-4(4)(b)" - description = "(b) Monitor inbound and outbound communications traffic [Assignment: organization-defined frequency] for [Assignment: organization-defined unusual or unauthorized activities or conditions]." + description = "Monitor inbound and outbound communications traffic [Assignment: organization-defined frequency] for [Assignment: organization-defined unusual or unauthorized activities or conditions]." children = [ control.guardduty_enabled ] @@ -428,7 +428,7 @@ benchmark "nist_800_53_rev_5_si_4_13" { benchmark "nist_800_53_rev_5_si_4_13_a" { title = "SI-4(13)(a)" - description = "(a) Analyze communications traffic and event patterns for the system." + description = "Analyze communications traffic and event patterns for the system." children = [ control.guardduty_enabled ] @@ -531,7 +531,7 @@ benchmark "nist_800_53_rev_5_si_5_1" { benchmark "nist_800_53_rev_5_si_5_b" { title = "SI-5(b)" - description = "b. Generate internal security alerts, advisories, and directives as deemed necessary." + description = "Generate internal security alerts, advisories, and directives as deemed necessary." children = [ control.cloudwatch_alarm_action_enabled, control.guardduty_enabled @@ -612,7 +612,7 @@ benchmark "nist_800_53_rev_5_si_7_8" { benchmark "nist_800_53_rev_5_si_7_a" { title = "SI-7(a)" - description = "a. Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: [Assignment: organization-defined software, firmware, and information]." + description = "Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: [Assignment: organization-defined software, firmware, and information]." children = [ control.cloudtrail_trail_validation_enabled ] @@ -643,7 +643,7 @@ benchmark "nist_800_53_rev_5_si_10_1" { benchmark "nist_800_53_rev_5_si_10_1_c" { title = "SI-10(1)(c)" - description = "(c) Audit the use of the manual override capability." + description = "Audit the use of the manual override capability." children = [ control.cloudtrail_multi_region_trail_enabled, control.cloudtrail_s3_data_events_enabled, From 08602e00e6fb6b169a42975605791abf95a2f65f Mon Sep 17 00:00:00 2001 From: Khushboo Date: Thu, 2 Jun 2022 12:23:56 +0530 Subject: [PATCH 19/20] update decription --- conformance_pack/vpc.sp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conformance_pack/vpc.sp b/conformance_pack/vpc.sp index 66641288..c259e009 100644 --- a/conformance_pack/vpc.sp +++ b/conformance_pack/vpc.sp @@ -151,7 +151,7 @@ control "vpc_subnet_auto_assign_public_ip_disabled" { control "vpc_route_table_restrict_public_access_to_igw" { title = "VPC route table should restrict public access to IGW" - description = "Ensure if there are public routes in the route table to an Internet Gateway (IGW). The rule is complaint if a route to an IGW has a destination CIDR block of '0.0.0.0/0' or '::/0' or if a destination CIDR block does not match the rule parameter." + description = "Ensure if there are public routes in the route table to an Internet Gateway (IGW). The rule is complaint if a route to an IGW has a destination CIDR block of '0.0.0.0/0' or '::/0'." sql = query.vpc_route_table_restrict_public_access_to_igw.sql tags = merge(local.conformance_pack_vpc_common_tags, { From 5eb374b7c0c701512e7c686ff41c0bf1139a198a Mon Sep 17 00:00:00 2001 From: Khushboo Date: Thu, 2 Jun 2022 13:10:48 +0530 Subject: [PATCH 20/20] update --- conformance_pack/vpc.sp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conformance_pack/vpc.sp b/conformance_pack/vpc.sp index c259e009..bd1abcdd 100644 --- a/conformance_pack/vpc.sp +++ b/conformance_pack/vpc.sp @@ -136,7 +136,7 @@ control "vpc_security_group_associated_to_eni" { } control "vpc_subnet_auto_assign_public_ip_disabled" { - title = "VPC subnet auto assign public ip should be disabled" + title = "VPC subnet auto assign public IP should be disabled" description = "Ensure if Amazon Virtual Private Cloud (Amazon VPC) subnets are assigned a public IP address. The control is complaint if Amazon VPC does not have subnets that are assigned a public IP address. The control. is non complaint if Amazon VPC has subnets that are assigned a public IP address." sql = query.vpc_subnet_auto_assign_public_ip_disabled.sql