Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Operational Best Practices for FFIEC. Closes #418 #420

Merged
merged 18 commits into from
Jun 30, 2022
Merged

Add Operational Best Practices for FFIEC. Closes #418 #420

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
aea9fa4
Add Operational Best Practices for FFIEC - Domain 1
vkumbha Jun 22, 2022
20c1b0e
Add Operational Best Practices for FFIEC - Domain 2
vkumbha Jun 22, 2022
57989cd
Add Operational Best Practices for FFIEC - Domain 4
vkumbha Jun 22, 2022
540c3df
Add Operational Best Practices for FFIEC - Domain 5
vkumbha Jun 24, 2022
77645f4
Add Operational Best Practices for FFIEC - Domain 3
vkumbha Jun 27, 2022
61db749
Update benchmarks prefix with framework
vkumbha Jun 28, 2022
edc21f4
Add backup_recovery_point_min_retention_35_days query
vkumbha Jun 28, 2022
c49eaab
Add Overview
vkumbha Jun 29, 2022
6914bb1
Update index.md
vkumbha Jun 29, 2022
ebbf87a
Added FFIEC Overview doc to the benchmark
vkumbha Jun 29, 2022
4fe4125
Update as per review comments
vkumbha Jun 29, 2022
becde6a
Comment out the sub level tags
vkumbha Jun 29, 2022
c8be857
Comment sublevel tag
vkumbha Jun 29, 2022
e4b783b
Remove comments for sublevel tags
vkumbha Jun 29, 2022
b99333a
Update dashboard image
misraved Jun 29, 2022
a933bdd
upadate image path
misraved Jun 29, 2022
04a9c48
Revert changes made on docs file
misraved Jun 29, 2022
4ac93ff
Revert "Update dashboard image"
misraved Jun 30, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# AWS Compliance Scanning Tool

475+ checks covering industry defined security best practices across all AWS regions. Includes full support for multiple best practice benchmarks including PCI DSS, AWS Foundational Security, FedRAMP, HIPAA, NIST 800-53, NIST CSF, Reserve Bank of India, Audit Manager Control Tower **and the latest (v1.4.0) CIS benchmarks**.
475+ checks covering industry defined security best practices across all AWS regions. Includes full support for multiple best practice benchmarks including PCI DSS, AWS Foundational Security, FedRAMP, FFIEC, HIPAA, NIST 800-53, NIST CSF, Reserve Bank of India, Audit Manager Control Tower **and the latest (v1.4.0) CIS benchmarks**.

Run checks in a dashboard:
![image](https://raw.githubusercontent.com/turbot/steampipe-mod-aws-compliance/main/docs/aws_cis_v140_dashboard.png)
Expand All @@ -14,10 +14,12 @@ Includes support for:
* [Audit Manager Control Tower](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.control_tower)
* [FedRAMP Low Revision 4](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.fedramp_low_rev_4)
* [FedRAMP Moderate Revision 4](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.fedramp_moderate_rev_4)
* [Federal Financial
Institutions Examination Council (FFIEC)](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.ffiec) 🚀 New!
* [HIPAA](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.hipaa)
* [General Data Protection Regulation (GDPR)](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.gdpr)
* [NIST 800-53 Revision 4](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.nist_800_53_rev_4)
* [NIST 800-53 Revision 5](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.nist_800_53_rev_5) 🚀 New!
* [NIST 800-53 Revision 5](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.nist_800_53_rev_5)
* [NIST Cybersecurity Framework (CSF)](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.nist_csf)
* [PCI DSS v3.2.1](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.pci_v321)
* [AWS Foundational Security Best Practices](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.foundational_security)
Expand Down
3 changes: 2 additions & 1 deletion conformance_pack/acm.sp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ control "acm_certificate_expires_30_days" {
tags = merge(local.conformance_pack_acm_common_tags, {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
gdpr = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
Expand All @@ -20,4 +21,4 @@ control "acm_certificate_expires_30_days" {
rbi_cyber_security = "true"
soc_2 = "true"
})
}
}
5 changes: 4 additions & 1 deletion conformance_pack/apigateway.sp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ control "apigateway_stage_logging_enabled" {
tags = merge(local.conformance_pack_apigateway_common_tags, {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
Expand All @@ -44,6 +45,7 @@ control "apigateway_rest_api_stage_use_ssl_certificate" {

tags = merge(local.conformance_pack_apigateway_common_tags, {
fedramp_moderate_rev_4 = "true"
ffiec = "true"
nist_800_53_rev_5 = "true"
rbi_cyber_security = "true"
})
Expand All @@ -57,7 +59,8 @@ control "apigateway_stage_use_waf_web_acl" {
tags = merge(local.conformance_pack_apigateway_common_tags, {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
nist_800_53_rev_5 = "true"
rbi_cyber_security = "true"
})
}
}
4 changes: 3 additions & 1 deletion conformance_pack/autoscaling.sp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ control "autoscaling_group_with_lb_use_health_check" {
tags = merge(local.conformance_pack_autoscaling_common_tags, {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
Expand All @@ -27,7 +28,8 @@ control "autoscaling_launch_config_public_ip_disabled" {
tags = merge(local.conformance_pack_autoscaling_common_tags, {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
nist_800_53_rev_5 = "true"
rbi_cyber_security = "true"
})
}
}
19 changes: 16 additions & 3 deletions conformance_pack/backup.sp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,11 +5,12 @@ locals {
}

control "backup_recovery_point_manual_deletion_disabled" {
title = "Backup recovery point manual deletion should be disabled"
title = "Backup recovery points manual deletion should be disabled"
description = "Checks if a backup vault has an attached resource-based policy which prevents deletion of recovery points. The rule is non complaint if the Backup Vault does not have resource-based policies or has policies without a suitable 'Deny' statement."
sql = query.backup_recovery_point_manual_deletion_disabled.sql

tags = merge(local.conformance_pack_backup_common_tags, {
ffiec = "true"
hipaa = "true"
nist_csf = "true"
soc_2 = "true"
Expand All @@ -24,20 +25,32 @@ control "backup_plan_min_retention_35_days" {
tags = merge(local.conformance_pack_backup_common_tags, {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
hipaa = "true"
nist_csf = "true"
soc_2 = "true"
})
}

control "backup_recovery_point_encryption_enabled" {
title = "Backup recovery point should be encrypted"
title = "Backup recovery points should be encrypted"
description = "Ensure if a recovery point is encrypted. The rule is non complaint if the recovery point is not encrypted."
sql = query.backup_recovery_point_encryption_enabled.sql

tags = merge(local.conformance_pack_backup_common_tags, {
ffiec = "true"
hipaa = "true"
nist_csf = "true"
soc_2 = "true"
})
}
}

control "backup_recovery_point_min_retention_35_days" {
title = "Backup recovery points should not expire before retention period"
description = "Ensure a recovery point expires no earlier than after the specified period. The rule is non-compliant if the recovery point has a retention point less than 35 days."
sql = query.backup_recovery_point_min_retention_35_days.sql

tags = merge(local.conformance_pack_backup_common_tags, {
ffiec = "true"
})
}
4 changes: 4 additions & 0 deletions conformance_pack/cloudtrail.sp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ control "cloudtrail_trail_integrated_with_logs" {
tags = merge(local.conformance_pack_cloudtrail_common_tags, {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
gdpr = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
Expand All @@ -30,6 +31,7 @@ control "cloudtrail_s3_data_events_enabled" {
tags = merge(local.conformance_pack_cloudtrail_common_tags, {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
gdpr = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
Expand Down Expand Up @@ -65,6 +67,7 @@ control "cloudtrail_multi_region_trail_enabled" {
tags = merge(local.conformance_pack_cloudtrail_common_tags, {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
Expand Down Expand Up @@ -98,6 +101,7 @@ control "cloudtrail_trail_enabled" {
tags = merge(local.conformance_pack_cloudtrail_common_tags, {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
Expand Down
6 changes: 4 additions & 2 deletions conformance_pack/cloudwatch.sp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ control "cloudwatch_alarm_action_enabled" {
tags = merge(local.conformance_pack_cloudwatch_common_tags, {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
Expand Down Expand Up @@ -46,6 +47,7 @@ control "cloudwatch_log_group_retention_period_365" {
tags = merge(local.conformance_pack_cloudwatch_common_tags, {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
Expand Down Expand Up @@ -139,8 +141,8 @@ control "log_metric_filter_network_acl" {
sql = query.log_metric_filter_network_acl.sql

tags = merge(local.conformance_pack_cloudwatch_common_tags, {
gdpr = "true"
nist_csf = "true"
gdpr = "true"
nist_csf = "true"
})
}

Expand Down
2 changes: 2 additions & 0 deletions conformance_pack/codebuild.sp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ control "codebuild_project_plaintext_env_variables_no_sensitive_aws_values" {
tags = merge(local.conformance_pack_codebuild_common_tags, {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_csf = "true"
Expand All @@ -27,6 +28,7 @@ control "codebuild_project_source_repo_oauth_configured" {
tags = merge(local.conformance_pack_codebuild_common_tags, {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_csf = "true"
Expand Down
3 changes: 2 additions & 1 deletion conformance_pack/dms.sp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,10 +12,11 @@ control "dms_replication_instance_not_publicly_accessible" {
tags = merge(local.conformance_pack_dms_common_tags, {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
rbi_cyber_security = "true"
})
}
}
3 changes: 3 additions & 0 deletions conformance_pack/dynamodb.sp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ control "dynamodb_table_auto_scaling_enabled" {
tags = merge(local.conformance_pack_dynamodb_common_tags, {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
Expand All @@ -27,6 +28,7 @@ control "dynamodb_table_point_in_time_recovery_enabled" {
tags = merge(local.conformance_pack_dynamodb_common_tags, {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
Expand Down Expand Up @@ -56,6 +58,7 @@ control "dynamodb_table_in_backup_plan" {
sql = query.dynamodb_table_in_backup_plan.sql

tags = merge(local.conformance_pack_dynamodb_common_tags, {
ffiec = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
Expand Down
8 changes: 7 additions & 1 deletion conformance_pack/ebs.sp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ control "ebs_snapshot_not_publicly_restorable" {
tags = merge(local.conformance_pack_ebs_common_tags, {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
Expand Down Expand Up @@ -42,8 +43,9 @@ control "ebs_attached_volume_encryption_enabled" {
tags = merge(local.conformance_pack_ebs_common_tags, {
audit_manager_control_tower = "true"
fedramp_moderate_rev_4 = "true"
hipaa = "true"
ffiec = "true"
gdpr = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
Expand All @@ -57,6 +59,7 @@ control "ebs_volume_in_backup_plan" {
sql = query.ebs_volume_in_backup_plan.sql

tags = merge(local.conformance_pack_ebs_common_tags, {
ffiec = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
Expand All @@ -75,6 +78,7 @@ control "ebs_attached_volume_delete_on_termination_enabled" {
audit_manager_control_tower = "true"
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
nist_800_53_rev_4 = "true"
nist_csf = "true"
})
Expand All @@ -88,6 +92,7 @@ control "ebs_volume_protected_by_backup_plan" {
tags = merge(local.conformance_pack_ebs_common_tags, {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
hipaa = "true"
nist_csf = "true"
soc_2 = "true"
Expand All @@ -102,6 +107,7 @@ control "ebs_volume_unused" {
tags = merge(local.conformance_pack_ebs_common_tags, {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
nist_800_53_rev_5 = "true"
})
}
6 changes: 6 additions & 0 deletions conformance_pack/ec2.sp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ control "ec2_ebs_default_encryption_enabled" {
sql = query.ec2_ebs_default_encryption_enabled.sql

tags = merge(local.conformance_pack_ec2_common_tags, {
ffiec = "true"
hipaa = "true"
nist_800_53_rev_5 = "true"
})
Expand Down Expand Up @@ -37,6 +38,7 @@ control "ec2_instance_in_vpc" {
tags = merge(local.conformance_pack_ec2_common_tags, {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
Expand All @@ -53,6 +55,7 @@ control "ec2_instance_not_publicly_accessible" {
tags = merge(local.conformance_pack_ec2_common_tags, {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
Expand All @@ -70,6 +73,7 @@ control "ec2_stopped_instance_30_days" {
tags = merge(local.conformance_pack_ec2_common_tags, {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
Expand Down Expand Up @@ -113,6 +117,7 @@ control "ec2_instance_protected_by_backup_plan" {
tags = merge(local.conformance_pack_ec2_common_tags, {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
hipaa = "true"
nist_csf = "true"
soc_2 = "true"
Expand All @@ -125,6 +130,7 @@ control "ec2_instance_iam_profile_attached" {
sql = query.ec2_instance_iam_profile_attached.sql

tags = merge(local.conformance_pack_ec2_common_tags, {
ffiec = "true"
nist_800_53_rev_5 = "true"
})
}
1 change: 1 addition & 0 deletions conformance_pack/ecs.sp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ control "ecs_task_definition_user_for_host_mode_check" {
tags = merge(local.conformance_pack_ecs_common_tags, {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
nist_800_53_rev_5 = "true"
})
}
4 changes: 3 additions & 1 deletion conformance_pack/efs.sp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ control "efs_file_system_encrypt_data_at_rest" {
sql = query.efs_file_system_encrypt_data_at_rest.sql

tags = merge(local.conformance_pack_efs_common_tags, {
ffiec = "true"
gdpr = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
Expand All @@ -25,6 +26,7 @@ control "efs_file_system_in_backup_plan" {
sql = query.efs_file_system_automatic_backups_enabled.sql

tags = merge(local.conformance_pack_efs_common_tags, {
ffiec = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
Expand All @@ -46,4 +48,4 @@ control "efs_file_system_protected_by_backup_plan" {
nist_csf = "true"
soc_2 = "true"
})
}
}
1 change: 1 addition & 0 deletions conformance_pack/elasticache.sp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ control "elasticache_redis_cluster_automatic_backup_retention_15_days" {
tags = merge(local.conformance_pack_elasticache_common_tags, {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
Expand Down
Loading