diff --git a/README.md b/README.md
index 72ea1d11..84536f3d 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
# AWS Compliance Mod for Steampipe
-475+ checks covering industry defined security best practices across all AWS regions. Includes full support for multiple best practice benchmarks including PCI DSS, AWS Foundational Security, FedRAMP, FFIEC, HIPAA, NIST 800-53, NIST CSF, Reserve Bank of India, Audit Manager Control Tower **and the latest (v1.4.0) CIS benchmarks**.
+475+ checks covering industry defined security best practices across all AWS regions. Includes full support for multiple best practice benchmarks including PCI DSS, AWS Foundational Security, FedRAMP, FFIEC, GxP 21 CFR Part 11, HIPAA, NIST 800-53, NIST CSF, Reserve Bank of India, Audit Manager Control Tower **and the latest (v1.4.0) CIS benchmarks**.
Run checks in a dashboard:
![image](https://raw.githubusercontent.com/turbot/steampipe-mod-aws-compliance/main/docs/aws_cis_v140_dashboard.png)
@@ -15,9 +15,10 @@ Includes support for:
* [FedRAMP Low Revision 4](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.fedramp_low_rev_4)
* [FedRAMP Moderate Revision 4](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.fedramp_moderate_rev_4)
* [Federal Financial
-Institutions Examination Council (FFIEC)](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.ffiec) 🚀 New!
-* [HIPAA](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.hipaa)
+Institutions Examination Council (FFIEC)](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.ffiec)
* [General Data Protection Regulation (GDPR)](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.gdpr)
+* [GxP 21 CFR Part 11](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.gxp_21_cfr_part_11) 🚀 New!
+* [HIPAA](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.hipaa)
* [NIST 800-53 Revision 4](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.nist_800_53_rev_4)
* [NIST 800-53 Revision 5](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.nist_800_53_rev_5)
* [NIST Cybersecurity Framework (CSF)](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.nist_csf)
diff --git a/conformance_pack/apigateway.sp b/conformance_pack/apigateway.sp
index 75bf3879..c1f37278 100644
--- a/conformance_pack/apigateway.sp
+++ b/conformance_pack/apigateway.sp
@@ -12,6 +12,7 @@ control "apigateway_stage_cache_encryption_at_rest_enabled" {
tags = merge(local.conformance_pack_apigateway_common_tags, {
fedramp_moderate_rev_4 = "true"
gdpr = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -29,6 +30,7 @@ control "apigateway_stage_logging_enabled" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -46,6 +48,7 @@ control "apigateway_rest_api_stage_use_ssl_certificate" {
tags = merge(local.conformance_pack_apigateway_common_tags, {
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
nist_800_53_rev_5 = "true"
rbi_cyber_security = "true"
})
diff --git a/conformance_pack/cloudtrail.sp b/conformance_pack/cloudtrail.sp
index 2b70e645..77a5e7a1 100644
--- a/conformance_pack/cloudtrail.sp
+++ b/conformance_pack/cloudtrail.sp
@@ -14,6 +14,7 @@ control "cloudtrail_trail_integrated_with_logs" {
fedramp_moderate_rev_4 = "true"
ffiec = "true"
gdpr = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -33,6 +34,7 @@ control "cloudtrail_s3_data_events_enabled" {
fedramp_moderate_rev_4 = "true"
ffiec = "true"
gdpr = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -51,6 +53,7 @@ control "cloudtrail_trail_logs_encrypted_with_kms_cmk" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
gdpr = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -68,6 +71,7 @@ control "cloudtrail_multi_region_trail_enabled" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -86,6 +90,7 @@ control "cloudtrail_trail_validation_enabled" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
gdpr = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -102,6 +107,7 @@ control "cloudtrail_trail_enabled" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -151,4 +157,4 @@ control "cloudtrail_bucket_not_public" {
tags = merge(local.conformance_pack_cloudtrail_common_tags, {
gdpr = "true"
})
-}
\ No newline at end of file
+}
diff --git a/conformance_pack/cloudwatch.sp b/conformance_pack/cloudwatch.sp
index 666ee171..abdf8bf3 100644
--- a/conformance_pack/cloudwatch.sp
+++ b/conformance_pack/cloudwatch.sp
@@ -30,6 +30,7 @@ control "log_group_encryption_at_rest_enabled" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
gdpr = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -48,6 +49,7 @@ control "cloudwatch_log_group_retention_period_365" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
diff --git a/conformance_pack/dms.sp b/conformance_pack/dms.sp
index 05888bc7..15721802 100644
--- a/conformance_pack/dms.sp
+++ b/conformance_pack/dms.sp
@@ -13,6 +13,7 @@ control "dms_replication_instance_not_publicly_accessible" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
diff --git a/conformance_pack/dynamodb.sp b/conformance_pack/dynamodb.sp
index 28c47711..5e7b860b 100644
--- a/conformance_pack/dynamodb.sp
+++ b/conformance_pack/dynamodb.sp
@@ -13,6 +13,7 @@ control "dynamodb_table_auto_scaling_enabled" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -29,6 +30,7 @@ control "dynamodb_table_point_in_time_recovery_enabled" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -45,6 +47,7 @@ control "dynamodb_table_encrypted_with_kms_cmk" {
tags = merge(local.conformance_pack_dynamodb_common_tags, {
gdpr = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -59,6 +62,7 @@ control "dynamodb_table_in_backup_plan" {
tags = merge(local.conformance_pack_dynamodb_common_tags, {
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
diff --git a/conformance_pack/ebs.sp b/conformance_pack/ebs.sp
index 0dcaf0d7..9b7b0758 100644
--- a/conformance_pack/ebs.sp
+++ b/conformance_pack/ebs.sp
@@ -13,6 +13,7 @@ control "ebs_snapshot_not_publicly_restorable" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -45,6 +46,7 @@ control "ebs_attached_volume_encryption_enabled" {
fedramp_moderate_rev_4 = "true"
ffiec = "true"
gdpr = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -60,6 +62,7 @@ control "ebs_volume_in_backup_plan" {
tags = merge(local.conformance_pack_ebs_common_tags, {
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -108,6 +111,7 @@ control "ebs_volume_unused" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
nist_800_53_rev_5 = "true"
})
}
diff --git a/conformance_pack/ec2.sp b/conformance_pack/ec2.sp
index df3c5dc9..68ef2aaa 100644
--- a/conformance_pack/ec2.sp
+++ b/conformance_pack/ec2.sp
@@ -10,9 +10,10 @@ control "ec2_ebs_default_encryption_enabled" {
sql = query.ec2_ebs_default_encryption_enabled.sql
tags = merge(local.conformance_pack_ec2_common_tags, {
- ffiec = "true"
- hipaa = "true"
- nist_800_53_rev_5 = "true"
+ ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
+ hipaa = "true"
+ nist_800_53_rev_5 = "true"
})
}
@@ -39,6 +40,7 @@ control "ec2_instance_in_vpc" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -56,6 +58,7 @@ control "ec2_instance_not_publicly_accessible" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -74,6 +77,7 @@ control "ec2_stopped_instance_30_days" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -89,9 +93,10 @@ control "ec2_instance_ebs_optimized" {
audit_manager_control_tower = "true"
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
- nist_csf = "true"
nist_800_53_rev_5 = "true"
+ nist_csf = "true"
soc_2 = "true"
})
}
@@ -104,6 +109,7 @@ control "ec2_instance_uses_imdsv2" {
tags = merge(local.conformance_pack_ec2_common_tags, {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
+ gxp_21_cfr_part_11 = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
})
@@ -130,8 +136,9 @@ control "ec2_instance_iam_profile_attached" {
sql = query.ec2_instance_iam_profile_attached.sql
tags = merge(local.conformance_pack_ec2_common_tags, {
- ffiec = "true"
- nist_800_53_rev_5 = "true"
+ ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
+ nist_800_53_rev_5 = "true"
})
}
diff --git a/conformance_pack/ecs.sp b/conformance_pack/ecs.sp
index 1ad5aa56..45a2a4b8 100644
--- a/conformance_pack/ecs.sp
+++ b/conformance_pack/ecs.sp
@@ -13,6 +13,7 @@ control "ecs_task_definition_user_for_host_mode_check" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
nist_800_53_rev_5 = "true"
})
}
diff --git a/conformance_pack/efs.sp b/conformance_pack/efs.sp
index 033ebbec..bb801309 100644
--- a/conformance_pack/efs.sp
+++ b/conformance_pack/efs.sp
@@ -12,6 +12,7 @@ control "efs_file_system_encrypt_data_at_rest" {
tags = merge(local.conformance_pack_efs_common_tags, {
ffiec = "true"
gdpr = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -27,6 +28,7 @@ control "efs_file_system_in_backup_plan" {
tags = merge(local.conformance_pack_efs_common_tags, {
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
diff --git a/conformance_pack/elasticache.sp b/conformance_pack/elasticache.sp
index c43627dc..9fd07569 100644
--- a/conformance_pack/elasticache.sp
+++ b/conformance_pack/elasticache.sp
@@ -13,6 +13,7 @@ control "elasticache_redis_cluster_automatic_backup_retention_15_days" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
diff --git a/conformance_pack/elb.sp b/conformance_pack/elb.sp
index 76da553f..a487cc53 100644
--- a/conformance_pack/elb.sp
+++ b/conformance_pack/elb.sp
@@ -14,6 +14,7 @@ control "elb_application_classic_lb_logging_enabled" {
fedramp_moderate_rev_4 = "true"
ffiec = "true"
gdpr = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -32,6 +33,7 @@ control "elb_application_lb_deletion_protection_enabled" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
@@ -48,6 +50,7 @@ control "elb_application_lb_redirect_http_request_to_https" {
fedramp_moderate_rev_4 = "true"
ffiec = "true"
gdpr = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -82,6 +85,7 @@ control "elb_classic_lb_use_ssl_certificate" {
fedramp_moderate_rev_4 = "true"
ffiec = "true"
gdpr = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -114,6 +118,7 @@ control "elb_classic_lb_use_tls_https_listeners" {
fedramp_moderate_rev_4 = "true"
ffiec = "true"
gdpr = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -130,6 +135,7 @@ control "elb_classic_lb_cross_zone_load_balancing_enabled" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
@@ -144,6 +150,7 @@ control "elb_application_network_lb_use_ssl_certificate" {
tags = merge(local.conformance_pack_elb_common_tags, {
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
nist_800_53_rev_5 = "true"
rbi_cyber_security = "true"
})
diff --git a/conformance_pack/emr.sp b/conformance_pack/emr.sp
index 4014c515..4d02a14a 100644
--- a/conformance_pack/emr.sp
+++ b/conformance_pack/emr.sp
@@ -10,10 +10,11 @@ control "emr_cluster_kerberos_enabled" {
sql = query.emr_cluster_kerberos_enabled.sql
tags = merge(local.conformance_pack_emr_common_tags, {
- ffiec = "true"
- hipaa = "true"
- nist_800_53_rev_4 = "true"
- nist_csf = "true"
+ ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
+ hipaa = "true"
+ nist_800_53_rev_4 = "true"
+ nist_csf = "true"
})
}
@@ -26,6 +27,7 @@ control "emr_cluster_master_nodes_no_public_ip" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
diff --git a/conformance_pack/es.sp b/conformance_pack/es.sp
index 30c5f9c7..a9009513 100644
--- a/conformance_pack/es.sp
+++ b/conformance_pack/es.sp
@@ -13,6 +13,7 @@ control "es_domain_encryption_at_rest_enabled" {
fedramp_moderate_rev_4 = "true"
ffiec = "true"
gdpr = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -30,6 +31,7 @@ control "es_domain_in_vpc" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -48,6 +50,7 @@ control "es_domain_node_to_node_encryption_enabled" {
fedramp_moderate_rev_4 = "true"
ffiec = "true"
gdpr = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -64,6 +67,7 @@ control "es_domain_logs_to_cloudwatch" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
nist_800_53_rev_5 = "true"
rbi_cyber_security = "true"
})
diff --git a/conformance_pack/guardduty.sp b/conformance_pack/guardduty.sp
index eb0c988e..40a047cd 100644
--- a/conformance_pack/guardduty.sp
+++ b/conformance_pack/guardduty.sp
@@ -13,6 +13,7 @@ control "guardduty_enabled" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
diff --git a/conformance_pack/iam.sp b/conformance_pack/iam.sp
index 616976c9..23fcfb9e 100644
--- a/conformance_pack/iam.sp
+++ b/conformance_pack/iam.sp
@@ -25,6 +25,7 @@ control "iam_group_not_empty" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_csf = "true"
@@ -42,6 +43,7 @@ control "iam_policy_no_star_star" {
fedramp_moderate_rev_4 = "true"
ffiec = "true"
gdpr = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -61,6 +63,7 @@ control "iam_root_user_no_access_keys" {
fedramp_moderate_rev_4 = "true"
ffiec = "true"
gdpr = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -79,6 +82,7 @@ control "iam_root_user_hardware_mfa_enabled" {
fedramp_moderate_rev_4 = "true"
ffiec = "true"
gdpr = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -97,6 +101,7 @@ control "iam_root_user_mfa_enabled" {
fedramp_moderate_rev_4 = "true"
ffiec = "true"
gdpr = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -114,6 +119,7 @@ control "iam_user_access_key_age_90" {
fedramp_moderate_rev_4 = "true"
ffiec = "true"
gdpr = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -132,6 +138,7 @@ control "iam_user_console_access_mfa_enabled" {
fedramp_moderate_rev_4 = "true"
ffiec = "true"
gdpr = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -149,6 +156,7 @@ control "iam_user_mfa_enabled" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -166,6 +174,7 @@ control "iam_user_no_inline_attached_policies" {
fedramp_moderate_rev_4 = "true"
ffiec = "true"
gdpr = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -185,6 +194,7 @@ control "iam_user_unused_credentials_90" {
fedramp_moderate_rev_4 = "true"
ffiec = "true"
gdpr = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -202,6 +212,7 @@ control "iam_user_in_group" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -219,6 +230,7 @@ control "iam_group_user_role_no_inline_policies" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -268,8 +280,9 @@ control "iam_account_password_policy_strong" {
sql = query.iam_account_password_policy_strong.sql
tags = merge(local.conformance_pack_iam_common_tags, {
- ffiec = "true"
- gdpr = "true"
+ ffiec = "true"
+ gdpr = "true"
+ gxp_21_cfr_part_11 = "true"
})
}
@@ -337,6 +350,7 @@ control "iam_all_policy_no_service_wild_card" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
nist_800_53_rev_5 = "true"
rbi_cyber_security = "true"
})
@@ -351,6 +365,7 @@ control "iam_policy_custom_no_blocked_kms_actions" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
})
}
@@ -360,17 +375,48 @@ control "iam_policy_inline_no_blocked_kms_actions" {
sql = query.iam_policy_inline_no_blocked_kms_actions.sql
tags = merge(local.conformance_pack_iam_common_tags, {
+ gxp_21_cfr_part_11 = "true"
})
}
-
control "account_part_of_organizations" {
title = "AWS account should be part of AWS Organizations"
description = "Ensure if an AWS account is part of AWS Organizations. The rule is non compliant if an AWS account is not part of AWS Organizations or AWS Organizations master account ID does not match rule parameter MasterAccountId."
sql = query.account_part_of_organizations.sql
tags = merge(local.conformance_pack_iam_common_tags, {
- nist_800_53_rev_5 = "true"
+ gxp_21_cfr_part_11 = "true"
+ nist_800_53_rev_5 = "true"
+ })
+}
+
+control "iam_policy_custom_no_assume_role" {
+ title = "IAM roles should not have any assume role policies attached"
+ description = "Role assume policies can provide access to roles in external AWS accounts."
+ sql = query.iam_policy_custom_no_assume_role.sql
+
+ tags = merge(local.conformance_pack_iam_common_tags, {
+ other_checks = "true"
+ })
+}
+
+control "iam_user_hardware_mfa_enabled" {
+ title = "IAM users should have hardware MFA enabled"
+ description = "Manage access to resources in the AWS Cloud by ensuring hardware MFA is enabled for the user."
+ sql = query.iam_user_hardware_mfa_enabled.sql
+
+ tags = merge(local.conformance_pack_iam_common_tags, {
+ other_checks = "true"
+ })
+}
+
+control "iam_user_with_administrator_access_mfa_enabled" {
+ title = "IAM administrator users should have MFA enabled"
+ description = "Manage access to resources in the AWS Cloud by ensuring MFA is enabled for users with administrative privileges."
+ sql = query.iam_user_with_administrator_access_mfa_enabled.sql
+
+ tags = merge(local.conformance_pack_iam_common_tags, {
+ other_checks = "true"
})
}
diff --git a/conformance_pack/kms.sp b/conformance_pack/kms.sp
index e2b59430..7418de7d 100644
--- a/conformance_pack/kms.sp
+++ b/conformance_pack/kms.sp
@@ -12,6 +12,7 @@ control "kms_key_not_pending_deletion" {
tags = merge(local.conformance_pack_kms_common_tags, {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -28,8 +29,9 @@ control "kms_cmk_rotation_enabled" {
tags = merge(local.conformance_pack_kms_common_tags, {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
- hippa = "true"
gdpr = "true"
+ gxp_21_cfr_part_11 = "true"
+ hippa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
rbi_cyber_security = "true"
diff --git a/conformance_pack/lambda.sp b/conformance_pack/lambda.sp
index 3e03cd5d..f1ced339 100644
--- a/conformance_pack/lambda.sp
+++ b/conformance_pack/lambda.sp
@@ -29,6 +29,7 @@ control "lambda_function_in_vpc" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -46,6 +47,7 @@ control "lambda_function_restrict_public_access" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
diff --git a/conformance_pack/rds.sp b/conformance_pack/rds.sp
index fc3ac5b4..37da7b83 100644
--- a/conformance_pack/rds.sp
+++ b/conformance_pack/rds.sp
@@ -13,6 +13,7 @@ control "rds_db_instance_backup_enabled" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -31,6 +32,7 @@ control "rds_db_instance_encryption_at_rest_enabled" {
fedramp_moderate_rev_4 = "true"
ffiec = "true"
gdpr = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -48,6 +50,7 @@ control "rds_db_instance_multiple_az_enabled" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -65,6 +68,7 @@ control "rds_db_instance_prohibit_public_access" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -83,6 +87,7 @@ control "rds_db_snapshot_encrypted_at_rest" {
audit_manager_control_tower = "true"
fedramp_moderate_rev_4 = "true"
gdpr = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -100,6 +105,7 @@ control "rds_db_snapshot_prohibit_public_access" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -118,6 +124,7 @@ control "rds_db_instance_logging_enabled" {
fedramp_moderate_rev_4 = "true"
ffiec = "true"
gdpr = "true"
+ gxp_21_cfr_part_11 = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
rbi_cyber_security = "true"
@@ -133,6 +140,7 @@ control "rds_db_instance_in_backup_plan" {
tags = merge(local.conformance_pack_rds_common_tags, {
ffiec = "true"
gdpr = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -165,6 +173,7 @@ control "rds_db_instance_deletion_protection_enabled" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
soc_2 = "true"
diff --git a/conformance_pack/redshift.sp b/conformance_pack/redshift.sp
index f647d5ff..6e3e4af4 100644
--- a/conformance_pack/redshift.sp
+++ b/conformance_pack/redshift.sp
@@ -14,6 +14,7 @@ control "redshift_cluster_encryption_in_transit_enabled" {
fedramp_moderate_rev_4 = "true"
ffiec = "true"
gdpr = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -32,6 +33,7 @@ control "redshift_cluster_encryption_logging_enabled" {
fedramp_moderate_rev_4 = "true"
ffiec = "true"
gdpr = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -50,6 +52,7 @@ control "redshift_cluster_prohibit_public_access" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -68,6 +71,7 @@ control "redshift_cluster_automatic_snapshots_min_7_days" {
fedramp_moderate_rev_4 = "true"
ffiec = "true"
gdpr = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
@@ -85,6 +89,8 @@ control "redshift_cluster_kms_enabled" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
+ gxp_21_cfr_part_11 = "true"
nist_800_53_rev_5 = "true"
rbi_cyber_security = "true"
})
@@ -108,7 +114,8 @@ control "redshift_cluster_enhanced_vpc_routing_enabled" {
sql = query.redshift_cluster_enhanced_vpc_routing_enabled.sql
tags = merge(local.conformance_pack_redshift_common_tags, {
- ffiec = "true"
- nist_800_53_rev_5 = "true"
+ ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
+ nist_800_53_rev_5 = "true"
})
}
diff --git a/conformance_pack/s3.sp b/conformance_pack/s3.sp
index d13b44f4..b5557248 100644
--- a/conformance_pack/s3.sp
+++ b/conformance_pack/s3.sp
@@ -13,6 +13,7 @@ control "s3_bucket_cross_region_replication_enabled" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -31,6 +32,7 @@ control "s3_bucket_default_encryption_enabled" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
gdpr = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -49,6 +51,7 @@ control "s3_bucket_enforces_ssl" {
fedramp_moderate_rev_4 = "true"
ffiec = "true"
gdpr = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -66,6 +69,7 @@ control "s3_bucket_logging_enabled" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -83,6 +87,7 @@ control "s3_bucket_object_lock_enabled" {
tags = merge(local.conformance_pack_s3_common_tags, {
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_csf = "true"
soc_2 = "true"
@@ -99,6 +104,7 @@ control "s3_bucket_restrict_public_read_access" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -118,6 +124,7 @@ control "s3_bucket_restrict_public_write_access" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -136,6 +143,7 @@ control "s3_bucket_versioning_enabled" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -154,6 +162,7 @@ control "s3_public_access_block_account" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -187,6 +196,7 @@ control "s3_bucket_default_encryption_enabled_kms" {
fedramp_moderate_rev_4 = "true"
ffiec = "true"
gdpr = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_5 = "true"
rbi_cyber_security = "true"
@@ -201,6 +211,7 @@ control "s3_public_access_block_bucket" {
tags = merge(local.conformance_pack_s3_common_tags, {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
+ gxp_21_cfr_part_11 = "true"
nist_800_53_rev_5 = "true"
})
}
diff --git a/conformance_pack/sagemaker.sp b/conformance_pack/sagemaker.sp
index 707c1891..e86593c7 100644
--- a/conformance_pack/sagemaker.sp
+++ b/conformance_pack/sagemaker.sp
@@ -13,6 +13,7 @@ control "sagemaker_notebook_instance_direct_internet_access_disabled" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -30,6 +31,7 @@ control "sagemaker_notebook_instance_encryption_at_rest_enabled" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
gdpr = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -47,6 +49,7 @@ control "sagemaker_endpoint_configuration_encryption_at_rest_enabled" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
gdpr = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
diff --git a/conformance_pack/secretsmanager.sp b/conformance_pack/secretsmanager.sp
index 32dab652..ea262c67 100644
--- a/conformance_pack/secretsmanager.sp
+++ b/conformance_pack/secretsmanager.sp
@@ -10,9 +10,10 @@ control "secretsmanager_secret_automatic_rotation_enabled" {
sql = query.secretsmanager_secret_automatic_rotation_enabled.sql
tags = merge(local.conformance_pack_secretsmanager_common_tags, {
- hipaa = "true"
- nist_800_53_rev_5 = "true"
- nist_csf = "true"
+ gxp_21_cfr_part_11 = "true"
+ hipaa = "true"
+ nist_800_53_rev_5 = "true"
+ nist_csf = "true"
})
}
@@ -22,9 +23,10 @@ control "secretsmanager_secret_rotated_as_scheduled" {
sql = query.secretsmanager_secret_rotated_as_scheduled.sql
tags = merge(local.conformance_pack_secretsmanager_common_tags, {
- nist_800_53_rev_4 = "true"
- nist_800_53_rev_5 = "true"
- nist_csf = "true"
+ gxp_21_cfr_part_11 = "true"
+ nist_800_53_rev_4 = "true"
+ nist_800_53_rev_5 = "true"
+ nist_csf = "true"
})
}
@@ -44,6 +46,7 @@ control "secretsmanager_secret_encrypted_with_kms_cmk" {
sql = query.secretsmanager_secret_encrypted_with_kms_cmk.sql
tags = merge(local.conformance_pack_secretsmanager_common_tags, {
- nist_800_53_rev_5 = "true"
+ gxp_21_cfr_part_11 = "true"
+ nist_800_53_rev_5 = "true"
})
}
diff --git a/conformance_pack/securityhub.sp b/conformance_pack/securityhub.sp
index 2d45598c..7930b1db 100644
--- a/conformance_pack/securityhub.sp
+++ b/conformance_pack/securityhub.sp
@@ -13,6 +13,7 @@ control "securityhub_enabled" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
diff --git a/conformance_pack/sns.sp b/conformance_pack/sns.sp
index a63d546f..a2da4887 100644
--- a/conformance_pack/sns.sp
+++ b/conformance_pack/sns.sp
@@ -13,6 +13,7 @@ control "sns_topic_encrypted_at_rest" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
gdpr = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
diff --git a/conformance_pack/ssm.sp b/conformance_pack/ssm.sp
index 6389e80c..3631065b 100644
--- a/conformance_pack/ssm.sp
+++ b/conformance_pack/ssm.sp
@@ -13,6 +13,7 @@ control "ec2_instance_ssm_managed" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -31,6 +32,7 @@ control "ssm_managed_instance_compliance_association_compliant" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -49,6 +51,7 @@ control "ssm_managed_instance_compliance_patch_compliant" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
diff --git a/conformance_pack/vpc.sp b/conformance_pack/vpc.sp
index 8f221a39..ecdc46c4 100644
--- a/conformance_pack/vpc.sp
+++ b/conformance_pack/vpc.sp
@@ -14,6 +14,7 @@ control "vpc_flow_logs_enabled" {
fedramp_moderate_rev_4 = "true"
ffiec = "true"
gdpr = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -29,6 +30,7 @@ control "vpc_igw_attached_to_authorized_vpc" {
sql = query.vpc_igw_attached_to_authorized_vpc.sql
tags = merge(local.conformance_pack_vpc_common_tags, {
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_csf = "true"
@@ -45,6 +47,7 @@ control "vpc_security_group_restrict_ingress_tcp_udp_all" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -63,6 +66,7 @@ control "vpc_security_group_restrict_ingress_common_ports_all" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -81,6 +85,7 @@ control "vpc_security_group_restrict_ingress_ssh_all" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
@@ -99,6 +104,7 @@ control "vpc_default_security_group_restricts_all_traffic" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
@@ -115,6 +121,7 @@ control "vpc_vpn_tunnel_up" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
@@ -151,6 +158,7 @@ control "vpc_subnet_auto_assign_public_ip_disabled" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
nist_800_53_rev_5 = "true"
nist_csf = "true"
rbi_cyber_security = "true"
@@ -166,6 +174,7 @@ control "vpc_route_table_restrict_public_access_to_igw" {
fedramp_low_rev_4 = "true"
fedramp_moderate_rev_4 = "true"
ffiec = "true"
+ gxp_21_cfr_part_11 = "true"
nist_800_53_rev_5 = "true"
rbi_cyber_security = "true"
})
diff --git a/conformance_pack/wafv2.sp b/conformance_pack/wafv2.sp
index ee230e42..e096b224 100644
--- a/conformance_pack/wafv2.sp
+++ b/conformance_pack/wafv2.sp
@@ -14,6 +14,7 @@ control "wafv2_web_acl_logging_enabled" {
fedramp_moderate_rev_4 = "true"
ffiec = "true"
gdpr = "true"
+ gxp_21_cfr_part_11 = "true"
hipaa = "true"
nist_800_53_rev_4 = "true"
nist_800_53_rev_5 = "true"
diff --git a/docs/index.md b/docs/index.md
index 26ce97af..7dbda239 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -4,7 +4,7 @@ repository: "https://github.com/turbot/steampipe-mod-aws-compliance"
# AWS Compliance Mod
-Run individual configuration, compliance and security controls or full compliance benchmarks for `Audit Manager Control Tower`, `AWS Foundational Security Best Practices`, `CIS`, `FedRAMP`, `FFIEC`, `GDPR`, `HIPAA`, `NIST 800-53`, `NIST CSF`, `PCI DSS`, `RBI Cyber Security Framework` and `SOC 2` across all your AWS accounts.
+Run individual configuration, compliance and security controls or full compliance benchmarks for `Audit Manager Control Tower`, `AWS Foundational Security Best Practices`, `CIS`, `FedRAMP`, `FFIEC`, `GDPR`, `GxP 21 CFR Part 11`, `HIPAA`, `NIST 800-53`, `NIST CSF`, `PCI DSS`, `RBI Cyber Security Framework` and `SOC 2` across all your AWS accounts.
@@ -26,6 +26,8 @@ Run individual configuration, compliance and security controls or full complianc
[GDPR](https://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html) provides a set of robust requirements that raise and harmonize standards for data protection, security, and compliance throughout the European Union (EU).
+[GxP 21 CFR Part 11](https://www.ecfr.gov/current/title-21/chapter-I/subchapter-A/part-11?toc=1) includes details for the criteria under which electronic records and signatures are considered trustworthy and equivalent to paper records and ensures the integrity of data used to make product-related safety decisions.
+
[HIPAA Compliance](https://aws.amazon.com/compliance/hipaa-compliance/) provides a set of general-purpose security standards for the U.S. Health Insurance Portability and Accountability Act (HIPAA).
[NIST 800-53](https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final) provides minimum baselines of security controls for U.S. federal information systems except those related to national security.
diff --git a/gxp_21_cfr_part_11/11_10.sp b/gxp_21_cfr_part_11/11_10.sp
new file mode 100644
index 00000000..86099395
--- /dev/null
+++ b/gxp_21_cfr_part_11/11_10.sp
@@ -0,0 +1,255 @@
+benchmark "gxp_21_cfr_part_11_11_10" {
+ title = "11.10 Controls for closed systems"
+ description = "Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following benchmarks."
+ children = [
+ benchmark.gxp_21_cfr_part_11_11_10_a,
+ benchmark.gxp_21_cfr_part_11_11_10_c,
+ benchmark.gxp_21_cfr_part_11_11_10_d,
+ benchmark.gxp_21_cfr_part_11_11_10_e,
+ benchmark.gxp_21_cfr_part_11_11_10_g,
+ benchmark.gxp_21_cfr_part_11_11_10_h,
+ benchmark.gxp_21_cfr_part_11_11_10_k
+ ]
+
+ tags = local.gxp_21_cfr_part_11_common_tags
+}
+
+benchmark "gxp_21_cfr_part_11_11_10_a" {
+ title = "11.10(a)"
+ description = "Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records."
+ children = [
+ control.cloudtrail_trail_validation_enabled,
+ control.dynamodb_table_auto_scaling_enabled,
+ control.dynamodb_table_in_backup_plan,
+ control.dynamodb_table_point_in_time_recovery_enabled,
+ control.ebs_volume_in_backup_plan,
+ control.ebs_volume_unused,
+ control.ec2_instance_ebs_optimized,
+ control.ec2_instance_ssm_managed,
+ control.ec2_stopped_instance_30_days,
+ control.efs_file_system_in_backup_plan,
+ control.elasticache_redis_cluster_automatic_backup_retention_15_days,
+ control.elb_application_lb_deletion_protection_enabled,
+ control.elb_classic_lb_cross_zone_load_balancing_enabled,
+ control.rds_db_instance_backup_enabled,
+ control.rds_db_instance_deletion_protection_enabled,
+ control.rds_db_instance_in_backup_plan,
+ control.rds_db_instance_multiple_az_enabled,
+ control.redshift_cluster_automatic_snapshots_min_7_days,
+ control.s3_bucket_cross_region_replication_enabled,
+ control.s3_bucket_object_lock_enabled,
+ control.s3_bucket_versioning_enabled,
+ control.ssm_managed_instance_compliance_association_compliant,
+ control.ssm_managed_instance_compliance_patch_compliant,
+ control.vpc_vpn_tunnel_up
+ ]
+
+ tags = local.gxp_21_cfr_part_11_common_tags
+}
+
+benchmark "gxp_21_cfr_part_11_11_10_c" {
+ title = "11.10(c)"
+ description = "Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (c) Protection of records to enable their accurate and ready retrieval throughout the records retention period."
+ children = [
+ control.cloudtrail_trail_logs_encrypted_with_kms_cmk,
+ control.cloudwatch_log_group_retention_period_365,
+ control.rds_db_instance_encryption_at_rest_enabled,
+ control.rds_db_snapshot_encrypted_at_rest,
+ control.rds_db_snapshot_prohibit_public_access,
+ control.redshift_cluster_encryption_in_transit_enabled,
+ control.redshift_cluster_encryption_logging_enabled,
+ control.redshift_cluster_kms_enabled,
+ control.redshift_cluster_prohibit_public_access,
+ control.s3_bucket_default_encryption_enabled,
+ control.s3_bucket_enforces_ssl,
+ control.s3_bucket_restrict_public_read_access,
+ control.s3_bucket_restrict_public_write_access,
+ control.s3_bucket_versioning_enabled,
+ control.sagemaker_endpoint_configuration_encryption_at_rest_enabled,
+ control.sagemaker_notebook_instance_direct_internet_access_disabled,
+ control.sagemaker_notebook_instance_encryption_at_rest_enabled
+ ]
+
+ tags = local.gxp_21_cfr_part_11_common_tags
+}
+
+benchmark "gxp_21_cfr_part_11_11_10_d" {
+ title = "11.10(d)"
+ description = "Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (d) Limiting system access to authorized individuals."
+ children = [
+ control.account_part_of_organizations,
+ control.dms_replication_instance_not_publicly_accessible,
+ control.ebs_snapshot_not_publicly_restorable,
+ control.ec2_instance_iam_profile_attached,
+ control.ec2_instance_in_vpc,
+ control.ec2_instance_not_publicly_accessible,
+ control.ec2_instance_uses_imdsv2,
+ control.ecs_task_definition_user_for_host_mode_check,
+ control.emr_cluster_kerberos_enabled,
+ control.emr_cluster_master_nodes_no_public_ip,
+ control.es_domain_in_vpc,
+ control.iam_account_password_policy_strong,
+ control.iam_all_policy_no_service_wild_card,
+ control.iam_group_not_empty,
+ control.iam_group_user_role_no_inline_policies,
+ control.iam_policy_custom_no_blocked_kms_actions,
+ control.iam_policy_inline_no_blocked_kms_actions,
+ control.iam_policy_no_star_star,
+ control.iam_root_user_hardware_mfa_enabled,
+ control.iam_root_user_mfa_enabled,
+ control.iam_root_user_no_access_keys,
+ control.iam_user_access_key_age_90,
+ control.iam_user_console_access_mfa_enabled,
+ control.iam_user_in_group,
+ control.iam_user_mfa_enabled,
+ control.iam_user_no_inline_attached_policies,
+ control.iam_user_unused_credentials_90,
+ control.lambda_function_in_vpc,
+ control.lambda_function_restrict_public_access,
+ control.rds_db_instance_prohibit_public_access,
+ control.rds_db_snapshot_prohibit_public_access,
+ control.redshift_cluster_prohibit_public_access,
+ control.s3_bucket_restrict_public_read_access,
+ control.s3_bucket_restrict_public_write_access,
+ control.s3_public_access_block_account,
+ control.s3_public_access_block_bucket,
+ control.sagemaker_notebook_instance_direct_internet_access_disabled,
+ control.secretsmanager_secret_automatic_rotation_enabled,
+ control.secretsmanager_secret_rotated_as_scheduled,
+ control.vpc_default_security_group_restricts_all_traffic,
+ control.vpc_igw_attached_to_authorized_vpc,
+ control.vpc_route_table_restrict_public_access_to_igw,
+ control.vpc_security_group_restrict_ingress_common_ports_all,
+ control.vpc_security_group_restrict_ingress_ssh_all,
+ control.vpc_security_group_restrict_ingress_tcp_udp_all,
+ control.vpc_subnet_auto_assign_public_ip_disabled
+ ]
+
+ tags = local.gxp_21_cfr_part_11_common_tags
+}
+
+benchmark "gxp_21_cfr_part_11_11_10_e" {
+ title = "11.10(e)"
+ description = "Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying."
+ children = [
+ control.apigateway_stage_logging_enabled,
+ control.cloudtrail_multi_region_trail_enabled,
+ control.cloudtrail_s3_data_events_enabled,
+ control.cloudtrail_trail_enabled,
+ control.cloudtrail_trail_integrated_with_logs,
+ control.cloudwatch_log_group_retention_period_365,
+ control.elb_application_classic_lb_logging_enabled,
+ control.es_domain_logs_to_cloudwatch,
+ control.rds_db_instance_logging_enabled,
+ control.redshift_cluster_encryption_logging_enabled,
+ control.redshift_cluster_kms_enabled,
+ control.s3_bucket_logging_enabled,
+ control.vpc_flow_logs_enabled,
+ control.wafv2_web_acl_logging_enabled
+ ]
+
+ tags = local.gxp_21_cfr_part_11_common_tags
+}
+
+benchmark "gxp_21_cfr_part_11_11_10_g" {
+ title = "11.10(g)"
+ description = "Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand."
+ children = [
+ control.account_part_of_organizations,
+ control.dms_replication_instance_not_publicly_accessible,
+ control.dynamodb_table_encrypted_with_kms_cmk,
+ control.ebs_attached_volume_encryption_enabled,
+ control.ebs_snapshot_not_publicly_restorable,
+ control.ec2_ebs_default_encryption_enabled,
+ control.ec2_instance_iam_profile_attached,
+ control.ec2_instance_in_vpc,
+ control.ec2_instance_not_publicly_accessible,
+ control.ec2_instance_uses_imdsv2,
+ control.ecs_task_definition_user_for_host_mode_check,
+ control.efs_file_system_encrypt_data_at_rest,
+ control.emr_cluster_kerberos_enabled,
+ control.emr_cluster_master_nodes_no_public_ip,
+ control.es_domain_encryption_at_rest_enabled,
+ control.es_domain_in_vpc,
+ control.es_domain_node_to_node_encryption_enabled,
+ control.iam_account_password_policy_strong,
+ control.iam_all_policy_no_service_wild_card,
+ control.iam_group_not_empty,
+ control.iam_group_user_role_no_inline_policies,
+ control.iam_policy_custom_no_blocked_kms_actions,
+ control.iam_policy_inline_no_blocked_kms_actions,
+ control.iam_policy_no_star_star,
+ control.iam_root_user_hardware_mfa_enabled,
+ control.iam_root_user_mfa_enabled,
+ control.iam_root_user_no_access_keys,
+ control.iam_user_access_key_age_90,
+ control.iam_user_console_access_mfa_enabled,
+ control.iam_user_in_group,
+ control.iam_user_mfa_enabled,
+ control.iam_user_no_inline_attached_policies,
+ control.iam_user_unused_credentials_90,
+ control.lambda_function_in_vpc,
+ control.lambda_function_restrict_public_access,
+ control.rds_db_instance_prohibit_public_access,
+ control.rds_db_snapshot_prohibit_public_access,
+ control.redshift_cluster_enhanced_vpc_routing_enabled,
+ control.redshift_cluster_kms_enabled,
+ control.redshift_cluster_prohibit_public_access,
+ control.s3_bucket_restrict_public_read_access,
+ control.s3_bucket_restrict_public_write_access,
+ control.s3_public_access_block_account,
+ control.s3_public_access_block_bucket,
+ control.sagemaker_notebook_instance_direct_internet_access_disabled,
+ control.secretsmanager_secret_automatic_rotation_enabled,
+ control.secretsmanager_secret_rotated_as_scheduled,
+ control.vpc_default_security_group_restricts_all_traffic,
+ control.vpc_igw_attached_to_authorized_vpc,
+ control.vpc_route_table_restrict_public_access_to_igw,
+ control.vpc_security_group_restrict_ingress_common_ports_all,
+ control.vpc_security_group_restrict_ingress_ssh_all,
+ control.vpc_security_group_restrict_ingress_tcp_udp_all,
+ control.vpc_subnet_auto_assign_public_ip_disabled
+ ]
+
+ tags = local.gxp_21_cfr_part_11_common_tags
+}
+
+benchmark "gxp_21_cfr_part_11_11_10_h" {
+ title = "11.10(h)"
+ description = "Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (h) Use of device (e.g., terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction."
+ children = [
+ control.ec2_instance_ssm_managed,
+ control.ssm_managed_instance_compliance_association_compliant,
+ control.ssm_managed_instance_compliance_patch_compliant
+ ]
+
+ tags = local.gxp_21_cfr_part_11_common_tags
+}
+
+benchmark "gxp_21_cfr_part_11_11_10_k" {
+ title = "11.10(k)"
+ description = "Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following: (k) Use of appropriate controls over systems documentation including: (1) Adequate controls over the distribution of, access to, and use of documentation for system operation and maintenance. (2) Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation."
+ children = [
+ control.cloudtrail_s3_data_events_enabled,
+ control.cloudtrail_trail_enabled,
+ control.cloudtrail_trail_integrated_with_logs,
+ control.dms_replication_instance_not_publicly_accessible,
+ control.ebs_snapshot_not_publicly_restorable,
+ control.ec2_instance_in_vpc,
+ control.emr_cluster_master_nodes_no_public_ip,
+ control.rds_db_instance_logging_enabled,
+ control.rds_db_instance_prohibit_public_access,
+ control.rds_db_snapshot_prohibit_public_access,
+ control.redshift_cluster_prohibit_public_access,
+ control.s3_bucket_logging_enabled,
+ control.s3_bucket_restrict_public_read_access,
+ control.s3_bucket_restrict_public_write_access,
+ control.sagemaker_notebook_instance_direct_internet_access_disabled,
+ control.vpc_default_security_group_restricts_all_traffic,
+ control.vpc_igw_attached_to_authorized_vpc,
+ control.vpc_security_group_restrict_ingress_common_ports_all,
+ control.vpc_security_group_restrict_ingress_tcp_udp_all
+ ]
+
+ tags = local.gxp_21_cfr_part_11_common_tags
+}
diff --git a/gxp_21_cfr_part_11/11_200.sp b/gxp_21_cfr_part_11/11_200.sp
new file mode 100644
index 00000000..49051d86
--- /dev/null
+++ b/gxp_21_cfr_part_11/11_200.sp
@@ -0,0 +1,15 @@
+benchmark "gxp_21_cfr_part_11_11_200" {
+ title = "11.200 Electronic signature components and controls"
+ description = "(a) Electronic signatures that are not based upon biometrics shall: (1) Employ at least two distinct identification components such as an identification code and password. (i) When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual. (ii) When an individual executes one or more signings not performed during a single, continuous period of controlled system access, each signing shall be executed using all of the electronic signature components. (2) Be used only by their genuine owners; and (3) Be administered and executed to ensure that attempted use of an individual's electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals."
+ children = [
+ control.iam_account_password_policy_strong,
+ control.iam_root_user_hardware_mfa_enabled,
+ control.iam_root_user_mfa_enabled,
+ control.iam_root_user_no_access_keys,
+ control.iam_user_access_key_age_90,
+ control.iam_user_console_access_mfa_enabled,
+ control.iam_user_mfa_enabled
+ ]
+
+ tags = local.gxp_21_cfr_part_11_common_tags
+}
diff --git a/gxp_21_cfr_part_11/11_30.sp b/gxp_21_cfr_part_11/11_30.sp
new file mode 100644
index 00000000..074a58ec
--- /dev/null
+++ b/gxp_21_cfr_part_11/11_30.sp
@@ -0,0 +1,37 @@
+benchmark "gxp_21_cfr_part_11_11_30" {
+ title = "11.30 Controls for open systems"
+ description = "Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, as appropriate, the confidentiality of electronic records from the point of their creation to the point of their receipt. Such procedures and controls shall include those identified in 11.10, as appropriate, and additional measures such as document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality."
+ children = [
+ control.apigateway_rest_api_stage_use_ssl_certificate,
+ control.apigateway_stage_cache_encryption_at_rest_enabled,
+ control.cloudtrail_trail_logs_encrypted_with_kms_cmk,
+ control.cloudtrail_trail_validation_enabled,
+ control.dynamodb_table_encrypted_with_kms_cmk,
+ control.ebs_attached_volume_encryption_enabled,
+ control.ec2_ebs_default_encryption_enabled,
+ control.efs_file_system_encrypt_data_at_rest,
+ control.elb_application_lb_redirect_http_request_to_https,
+ control.elb_application_network_lb_use_ssl_certificate,
+ control.elb_classic_lb_use_ssl_certificate,
+ control.elb_classic_lb_use_tls_https_listeners,
+ control.es_domain_encryption_at_rest_enabled,
+ control.es_domain_node_to_node_encryption_enabled,
+ control.kms_cmk_rotation_enabled,
+ control.kms_key_not_pending_deletion,
+ control.log_group_encryption_at_rest_enabled,
+ control.rds_db_instance_encryption_at_rest_enabled,
+ control.rds_db_snapshot_encrypted_at_rest,
+ control.redshift_cluster_encryption_in_transit_enabled,
+ control.redshift_cluster_encryption_logging_enabled,
+ control.redshift_cluster_kms_enabled,
+ control.s3_bucket_default_encryption_enabled,
+ control.s3_bucket_default_encryption_enabled_kms,
+ control.s3_bucket_enforces_ssl,
+ control.sagemaker_endpoint_configuration_encryption_at_rest_enabled,
+ control.sagemaker_notebook_instance_encryption_at_rest_enabled,
+ control.secretsmanager_secret_encrypted_with_kms_cmk,
+ control.sns_topic_encrypted_at_rest
+ ]
+
+ tags = local.gxp_21_cfr_part_11_common_tags
+}
diff --git a/gxp_21_cfr_part_11/11_300.sp b/gxp_21_cfr_part_11/11_300.sp
new file mode 100644
index 00000000..91c09bfb
--- /dev/null
+++ b/gxp_21_cfr_part_11/11_300.sp
@@ -0,0 +1,38 @@
+benchmark "gxp_21_cfr_part_11_11_300" {
+ title = "11.300 Controls for identification codes/passwords"
+ description = "Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include the following benchmarks."
+ children = [
+ benchmark.gxp_21_cfr_part_11_11_300_b,
+ benchmark.gxp_21_cfr_part_11_11_300_d
+ ]
+
+ tags = local.gxp_21_cfr_part_11_common_tags
+}
+
+benchmark "gxp_21_cfr_part_11_11_300_b" {
+ title = "11.300(b)"
+ description = "Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include: (b) Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging)."
+ children = [
+ control.emr_cluster_kerberos_enabled,
+ control.iam_account_password_policy_strong,
+ control.iam_user_access_key_age_90,
+ control.iam_user_unused_credentials_90,
+ control.secretsmanager_secret_automatic_rotation_enabled,
+ control.secretsmanager_secret_rotated_as_scheduled
+ ]
+
+ tags = local.gxp_21_cfr_part_11_common_tags
+}
+
+benchmark "gxp_21_cfr_part_11_11_300_d" {
+ title = "11.300(d)"
+ description = "Persons who use electronic signatures based upon use of identification codes in combination with passwords shall employ controls to ensure their security and integrity. Such controls shall include: (d) Use of transaction safeguards to prevent unauthorized use of passwords and/or identification codes, and to detect and report in an immediate and urgent manner any attempts at their unauthorized use to the system security unit, and, as appropriate, to organizational management."
+ children = [
+ control.cloudtrail_trail_enabled,
+ control.cloudtrail_trail_integrated_with_logs,
+ control.guardduty_enabled,
+ control.securityhub_enabled
+ ]
+
+ tags = local.gxp_21_cfr_part_11_common_tags
+}
diff --git a/gxp_21_cfr_part_11/docs/gxp_21_cfr_part_11_overview.md b/gxp_21_cfr_part_11/docs/gxp_21_cfr_part_11_overview.md
new file mode 100644
index 00000000..97602d7b
--- /dev/null
+++ b/gxp_21_cfr_part_11/docs/gxp_21_cfr_part_11_overview.md
@@ -0,0 +1,5 @@
+To obtain the latest version of the official guide, please visit https://www.ecfr.gov/current/title-21/chapter-I/subchapter-A/part-11?toc=1.
+
+## Overview
+
+The Code of Federal Regulations (CFR) is the codification of the general and permanent rules published in the Federal Register by the departments and agencies of the Federal Government. It is divided into 50 titles representing broad areas subject to federal regulation. Title 21 of the CFR is reserved for rules of the Food and Drug Administration.
diff --git a/gxp_21_cfr_part_11/gxp_21_cfr_part_11.sp b/gxp_21_cfr_part_11/gxp_21_cfr_part_11.sp
new file mode 100644
index 00000000..94477bb6
--- /dev/null
+++ b/gxp_21_cfr_part_11/gxp_21_cfr_part_11.sp
@@ -0,0 +1,20 @@
+locals {
+ gxp_21_cfr_part_11_common_tags = merge(local.aws_compliance_common_tags, {
+ gxp_21_cfr_part_11 = "true"
+ type = "Benchmark"
+ })
+}
+
+benchmark "gxp_21_cfr_part_11" {
+ title = "GxP 21 CFR Part 11"
+ description = "The overall intent of GxP requirements is to ensure that food and medical products are safe for consumers and to ensure the integrity of data used to make product-related safety decisions."
+ documentation = file("./gxp_21_cfr_part_11/docs/gxp_21_cfr_part_11_overview.md")
+ children = [
+ benchmark.gxp_21_cfr_part_11_11_10,
+ benchmark.gxp_21_cfr_part_11_11_30,
+ benchmark.gxp_21_cfr_part_11_11_200,
+ benchmark.gxp_21_cfr_part_11_11_300
+ ]
+
+ tags = local.gxp_21_cfr_part_11_common_tags
+}