diff --git a/README.md b/README.md index 84536f3d..c503f2b2 100644 --- a/README.md +++ b/README.md @@ -21,6 +21,7 @@ Institutions Examination Council (FFIEC)](https://hub.steampipe.io/mods/turbot/a * [HIPAA](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.hipaa) * [NIST 800-53 Revision 4](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.nist_800_53_rev_4) * [NIST 800-53 Revision 5](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.nist_800_53_rev_5) +* [NIST 800-171 Revision 2](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.nist_800_171_rev_2) 🚀 New! * [NIST Cybersecurity Framework (CSF)](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.nist_csf) * [Other Compliance Checks](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.other) 🚀 New! * [PCI DSS v3.2.1](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.pci_v321) diff --git a/conformance_pack/acm.sp b/conformance_pack/acm.sp index d1c57628..6862bf7e 100644 --- a/conformance_pack/acm.sp +++ b/conformance_pack/acm.sp @@ -15,6 +15,7 @@ control "acm_certificate_expires_30_days" { ffiec = "true" gdpr = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" diff --git a/conformance_pack/apigateway.sp b/conformance_pack/apigateway.sp index c1f37278..5884ad20 100644 --- a/conformance_pack/apigateway.sp +++ b/conformance_pack/apigateway.sp @@ -32,6 +32,7 @@ control "apigateway_stage_logging_enabled" { ffiec = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" @@ -49,6 +50,7 @@ control "apigateway_rest_api_stage_use_ssl_certificate" { fedramp_moderate_rev_4 = "true" ffiec = "true" gxp_21_cfr_part_11 = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_5 = "true" rbi_cyber_security = "true" }) diff --git a/conformance_pack/autoscaling.sp b/conformance_pack/autoscaling.sp index 08e2029f..f52c6c92 100644 --- a/conformance_pack/autoscaling.sp +++ b/conformance_pack/autoscaling.sp @@ -14,6 +14,7 @@ control "autoscaling_group_with_lb_use_health_check" { fedramp_moderate_rev_4 = "true" ffiec = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" diff --git a/conformance_pack/backup.sp b/conformance_pack/backup.sp index 7412515d..64e7c80b 100644 --- a/conformance_pack/backup.sp +++ b/conformance_pack/backup.sp @@ -10,10 +10,11 @@ control "backup_recovery_point_manual_deletion_disabled" { sql = query.backup_recovery_point_manual_deletion_disabled.sql tags = merge(local.conformance_pack_backup_common_tags, { - ffiec = "true" - hipaa = "true" - nist_csf = "true" - soc_2 = "true" + ffiec = "true" + hipaa = "true" + nist_800_171_rev_2 = "true" + nist_csf = "true" + soc_2 = "true" }) } @@ -27,6 +28,7 @@ control "backup_plan_min_retention_35_days" { fedramp_moderate_rev_4 = "true" ffiec = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_csf = "true" soc_2 = "true" }) @@ -38,10 +40,11 @@ control "backup_recovery_point_encryption_enabled" { sql = query.backup_recovery_point_encryption_enabled.sql tags = merge(local.conformance_pack_backup_common_tags, { - ffiec = "true" - hipaa = "true" - nist_csf = "true" - soc_2 = "true" + ffiec = "true" + hipaa = "true" + nist_800_171_rev_2 = "true" + nist_csf = "true" + soc_2 = "true" }) } @@ -51,6 +54,7 @@ control "backup_recovery_point_min_retention_35_days" { sql = query.backup_recovery_point_min_retention_35_days.sql tags = merge(local.conformance_pack_backup_common_tags, { - ffiec = "true" + ffiec = "true" + nist_800_171_rev_2 = "true" }) } diff --git a/conformance_pack/cloudtrail.sp b/conformance_pack/cloudtrail.sp index 77a5e7a1..7065ec2b 100644 --- a/conformance_pack/cloudtrail.sp +++ b/conformance_pack/cloudtrail.sp @@ -16,6 +16,7 @@ control "cloudtrail_trail_integrated_with_logs" { gdpr = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" @@ -36,6 +37,7 @@ control "cloudtrail_s3_data_events_enabled" { gdpr = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" @@ -55,6 +57,7 @@ control "cloudtrail_trail_logs_encrypted_with_kms_cmk" { gdpr = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" @@ -73,6 +76,7 @@ control "cloudtrail_multi_region_trail_enabled" { ffiec = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" @@ -92,6 +96,7 @@ control "cloudtrail_trail_validation_enabled" { gdpr = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" soc_2 = "true" @@ -109,6 +114,7 @@ control "cloudtrail_trail_enabled" { ffiec = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" @@ -123,9 +129,10 @@ control "cloudtrail_security_trail_enabled" { sql = query.cloudtrail_security_trail_enabled.sql tags = merge(local.conformance_pack_cloudtrail_common_tags, { - gdpr = "true" - nist_800_53_rev_4 = "true" - soc_2 = "true" + gdpr = "true" + nist_800_171_rev_2 = "true" + nist_800_53_rev_4 = "true" + soc_2 = "true" }) } diff --git a/conformance_pack/cloudwatch.sp b/conformance_pack/cloudwatch.sp index abdf8bf3..bf91c003 100644 --- a/conformance_pack/cloudwatch.sp +++ b/conformance_pack/cloudwatch.sp @@ -14,6 +14,7 @@ control "cloudwatch_alarm_action_enabled" { fedramp_moderate_rev_4 = "true" ffiec = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" @@ -32,6 +33,7 @@ control "log_group_encryption_at_rest_enabled" { gdpr = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" @@ -51,6 +53,7 @@ control "cloudwatch_log_group_retention_period_365" { ffiec = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" rbi_cyber_security = "true" diff --git a/conformance_pack/dms.sp b/conformance_pack/dms.sp index 15721802..1704a98d 100644 --- a/conformance_pack/dms.sp +++ b/conformance_pack/dms.sp @@ -15,6 +15,7 @@ control "dms_replication_instance_not_publicly_accessible" { ffiec = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" diff --git a/conformance_pack/dynamodb.sp b/conformance_pack/dynamodb.sp index 5e7b860b..dbf0bb1d 100644 --- a/conformance_pack/dynamodb.sp +++ b/conformance_pack/dynamodb.sp @@ -15,6 +15,7 @@ control "dynamodb_table_auto_scaling_enabled" { ffiec = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" @@ -32,6 +33,7 @@ control "dynamodb_table_point_in_time_recovery_enabled" { ffiec = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" @@ -49,6 +51,7 @@ control "dynamodb_table_encrypted_with_kms_cmk" { gdpr = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" rbi_cyber_security = "true" @@ -64,6 +67,7 @@ control "dynamodb_table_in_backup_plan" { ffiec = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" @@ -92,6 +96,7 @@ control "dynamodb_table_protected_by_backup_plan" { fedramp_low_rev_4 = "true" fedramp_moderate_rev_4 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_csf = "true" soc_2 = "true" }) diff --git a/conformance_pack/ebs.sp b/conformance_pack/ebs.sp index 9b7b0758..62d2720d 100644 --- a/conformance_pack/ebs.sp +++ b/conformance_pack/ebs.sp @@ -15,6 +15,7 @@ control "ebs_snapshot_not_publicly_restorable" { ffiec = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" @@ -31,6 +32,7 @@ control "ebs_volume_encryption_at_rest_enabled" { fedramp_moderate_rev_4 = "true" gdpr = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_5 = "true" rbi_cyber_security = "true" }) @@ -48,6 +50,7 @@ control "ebs_attached_volume_encryption_enabled" { gdpr = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" @@ -64,6 +67,7 @@ control "ebs_volume_in_backup_plan" { ffiec = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" @@ -97,6 +101,7 @@ control "ebs_volume_protected_by_backup_plan" { fedramp_moderate_rev_4 = "true" ffiec = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_csf = "true" soc_2 = "true" }) @@ -112,6 +117,7 @@ control "ebs_volume_unused" { fedramp_moderate_rev_4 = "true" ffiec = "true" gxp_21_cfr_part_11 = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_5 = "true" }) } diff --git a/conformance_pack/ec2.sp b/conformance_pack/ec2.sp index a64643a5..4fef8ad6 100644 --- a/conformance_pack/ec2.sp +++ b/conformance_pack/ec2.sp @@ -13,6 +13,7 @@ control "ec2_ebs_default_encryption_enabled" { ffiec = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_5 = "true" }) } @@ -25,6 +26,7 @@ control "ec2_instance_detailed_monitoring_enabled" { tags = merge(local.conformance_pack_ec2_common_tags, { fedramp_low_rev_4 = "true" fedramp_moderate_rev_4 = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_csf = "true" soc_2 = "true" @@ -42,6 +44,7 @@ control "ec2_instance_in_vpc" { ffiec = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" @@ -60,6 +63,7 @@ control "ec2_instance_not_publicly_accessible" { ffiec = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" @@ -79,6 +83,7 @@ control "ec2_stopped_instance_30_days" { ffiec = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" }) @@ -95,6 +100,7 @@ control "ec2_instance_ebs_optimized" { fedramp_moderate_rev_4 = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" soc_2 = "true" @@ -125,6 +131,7 @@ control "ec2_instance_protected_by_backup_plan" { fedramp_moderate_rev_4 = "true" ffiec = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_csf = "true" soc_2 = "true" }) @@ -138,6 +145,7 @@ control "ec2_instance_iam_profile_attached" { tags = merge(local.conformance_pack_ec2_common_tags, { ffiec = "true" gxp_21_cfr_part_11 = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_5 = "true" }) } @@ -180,4 +188,4 @@ control "ec2_instance_no_launch_wizard_security_group" { tags = merge(local.conformance_pack_ec2_common_tags, { other_checks = "true" }) -} \ No newline at end of file +} diff --git a/conformance_pack/ecs.sp b/conformance_pack/ecs.sp index 45a2a4b8..0681b164 100644 --- a/conformance_pack/ecs.sp +++ b/conformance_pack/ecs.sp @@ -14,6 +14,7 @@ control "ecs_task_definition_user_for_host_mode_check" { fedramp_moderate_rev_4 = "true" ffiec = "true" gxp_21_cfr_part_11 = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_5 = "true" }) } diff --git a/conformance_pack/efs.sp b/conformance_pack/efs.sp index bb801309..e974ad6c 100644 --- a/conformance_pack/efs.sp +++ b/conformance_pack/efs.sp @@ -17,6 +17,7 @@ control "efs_file_system_encrypt_data_at_rest" { nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" + nist_800_171_rev_2 = "true" rbi_cyber_security = "true" }) } @@ -30,6 +31,7 @@ control "efs_file_system_in_backup_plan" { ffiec = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" @@ -47,6 +49,7 @@ control "efs_file_system_protected_by_backup_plan" { fedramp_low_rev_4 = "true" fedramp_moderate_rev_4 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_csf = "true" soc_2 = "true" }) diff --git a/conformance_pack/eks.sp b/conformance_pack/eks.sp index b9fdbc46..f20d4fbc 100644 --- a/conformance_pack/eks.sp +++ b/conformance_pack/eks.sp @@ -20,7 +20,8 @@ control "eks_cluster_endpoint_restrict_public_access" { sql = query.eks_cluster_endpoint_restrict_public_access.sql tags = merge(local.conformance_pack_eks_common_tags, { - nist_csf = "true" + nist_800_171_rev_2 = "true" + nist_csf = "true" }) } diff --git a/conformance_pack/elb.sp b/conformance_pack/elb.sp index a487cc53..ced62789 100644 --- a/conformance_pack/elb.sp +++ b/conformance_pack/elb.sp @@ -16,6 +16,7 @@ control "elb_application_classic_lb_logging_enabled" { gdpr = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" @@ -35,6 +36,7 @@ control "elb_application_lb_deletion_protection_enabled" { ffiec = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" }) @@ -52,6 +54,7 @@ control "elb_application_lb_redirect_http_request_to_https" { gdpr = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" @@ -69,6 +72,7 @@ control "elb_application_lb_waf_enabled" { fedramp_moderate_rev_4 = "true" ffiec = "true" nist_800_53_rev_4 = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" @@ -88,6 +92,7 @@ control "elb_classic_lb_use_ssl_certificate" { gxp_21_cfr_part_11 = "true" hipaa = "true" nist_800_53_rev_4 = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" @@ -103,6 +108,7 @@ control "elb_application_lb_drop_http_headers" { fedramp_low_rev_4 = "true" hipaa = "true" gdpr = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" rbi_cyber_security = "true" }) @@ -120,6 +126,7 @@ control "elb_classic_lb_use_tls_https_listeners" { gdpr = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" rbi_cyber_security = "true" @@ -136,6 +143,7 @@ control "elb_classic_lb_cross_zone_load_balancing_enabled" { fedramp_moderate_rev_4 = "true" ffiec = "true" gxp_21_cfr_part_11 = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" @@ -151,6 +159,7 @@ control "elb_application_network_lb_use_ssl_certificate" { fedramp_moderate_rev_4 = "true" ffiec = "true" gxp_21_cfr_part_11 = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_5 = "true" rbi_cyber_security = "true" }) diff --git a/conformance_pack/emr.sp b/conformance_pack/emr.sp index 4d02a14a..9122d2b2 100644 --- a/conformance_pack/emr.sp +++ b/conformance_pack/emr.sp @@ -13,6 +13,7 @@ control "emr_cluster_kerberos_enabled" { ffiec = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_csf = "true" }) @@ -29,6 +30,7 @@ control "emr_cluster_master_nodes_no_public_ip" { ffiec = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" diff --git a/conformance_pack/es.sp b/conformance_pack/es.sp index a9009513..b5c1bbef 100644 --- a/conformance_pack/es.sp +++ b/conformance_pack/es.sp @@ -15,6 +15,7 @@ control "es_domain_encryption_at_rest_enabled" { gdpr = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" @@ -33,6 +34,7 @@ control "es_domain_in_vpc" { ffiec = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" @@ -54,6 +56,7 @@ control "es_domain_node_to_node_encryption_enabled" { hipaa = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" + nist_800_171_rev_2 = "true" rbi_cyber_security = "true" }) } diff --git a/conformance_pack/guardduty.sp b/conformance_pack/guardduty.sp index 40a047cd..817aa298 100644 --- a/conformance_pack/guardduty.sp +++ b/conformance_pack/guardduty.sp @@ -15,6 +15,7 @@ control "guardduty_enabled" { ffiec = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" @@ -32,6 +33,7 @@ control "guardduty_finding_archived" { fedramp_moderate_rev_4 = "true" ffiec = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" diff --git a/conformance_pack/iam.sp b/conformance_pack/iam.sp index 23fcfb9e..9e124c77 100644 --- a/conformance_pack/iam.sp +++ b/conformance_pack/iam.sp @@ -27,6 +27,7 @@ control "iam_group_not_empty" { ffiec = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_csf = "true" soc_2 = "true" @@ -45,6 +46,7 @@ control "iam_policy_no_star_star" { gdpr = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" @@ -65,6 +67,7 @@ control "iam_root_user_no_access_keys" { gdpr = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" @@ -84,6 +87,7 @@ control "iam_root_user_hardware_mfa_enabled" { gdpr = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" @@ -103,6 +107,7 @@ control "iam_root_user_mfa_enabled" { gdpr = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" @@ -140,6 +145,7 @@ control "iam_user_console_access_mfa_enabled" { gdpr = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" @@ -158,6 +164,7 @@ control "iam_user_mfa_enabled" { ffiec = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" @@ -176,6 +183,7 @@ control "iam_user_no_inline_attached_policies" { gdpr = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" @@ -196,6 +204,7 @@ control "iam_user_unused_credentials_90" { gdpr = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" @@ -214,6 +223,7 @@ control "iam_user_in_group" { ffiec = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" @@ -232,6 +242,7 @@ control "iam_group_user_role_no_inline_policies" { ffiec = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" rbi_cyber_security = "true" @@ -259,6 +270,7 @@ control "iam_account_password_policy_min_length_14" { fedramp_moderate_rev_4 = "true" gdpr = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_5 = "true" }) } @@ -269,8 +281,9 @@ control "iam_account_password_policy_reuse_24" { sql = query.iam_account_password_policy_reuse_24.sql tags = merge(local.conformance_pack_iam_common_tags, { - gdpr = "true" - hipaa = "true" + gdpr = "true" + hipaa = "true" + nist_800_171_rev_2 = "true" }) } @@ -292,8 +305,9 @@ control "iam_account_password_policy_one_lowercase_letter" { sql = query.iam_account_password_policy_one_lowercase_letter.sql tags = merge(local.conformance_pack_iam_common_tags, { - gdpr = "true" - hipaa = "true" + gdpr = "true" + hipaa = "true" + nist_800_171_rev_2 = "true" }) } @@ -303,8 +317,9 @@ control "iam_account_password_policy_one_uppercase_letter" { sql = query.iam_account_password_policy_one_uppercase_letter.sql tags = merge(local.conformance_pack_iam_common_tags, { - gdpr = "true" - hipaa = "true" + gdpr = "true" + hipaa = "true" + nist_800_171_rev_2 = "true" }) } @@ -314,8 +329,9 @@ control "iam_account_password_policy_one_number" { sql = query.iam_account_password_policy_one_number.sql tags = merge(local.conformance_pack_iam_common_tags, { - gdpr = "true" - hipaa = "true" + gdpr = "true" + hipaa = "true" + nist_800_171_rev_2 = "true" }) } @@ -325,8 +341,9 @@ control "iam_password_policy_expire_90" { sql = query.iam_account_password_policy_expire_90.sql tags = merge(local.conformance_pack_iam_common_tags, { - gdpr = "true" - hipaa = "true" + gdpr = "true" + hipaa = "true" + nist_800_171_rev_2 = "true" }) } @@ -336,8 +353,9 @@ control "iam_account_password_policy_one_symbol" { sql = query.iam_account_password_policy_one_symbol.sql tags = merge(local.conformance_pack_iam_common_tags, { - gdpr = "true" - hipaa = "true" + gdpr = "true" + hipaa = "true" + nist_800_171_rev_2 = "true" }) } @@ -366,6 +384,7 @@ control "iam_policy_custom_no_blocked_kms_actions" { fedramp_moderate_rev_4 = "true" ffiec = "true" gxp_21_cfr_part_11 = "true" + nist_800_171_rev_2 = "true" }) } @@ -375,7 +394,7 @@ control "iam_policy_inline_no_blocked_kms_actions" { sql = query.iam_policy_inline_no_blocked_kms_actions.sql tags = merge(local.conformance_pack_iam_common_tags, { - gxp_21_cfr_part_11 = "true" + gxp_21_cfr_part_11 = "true" }) } diff --git a/conformance_pack/lambda.sp b/conformance_pack/lambda.sp index f1ced339..97a61533 100644 --- a/conformance_pack/lambda.sp +++ b/conformance_pack/lambda.sp @@ -16,6 +16,7 @@ control "lambda_function_dead_letter_queue_configured" { hipaa = "true" nist_800_53_rev_5 = "true" nist_csf = "true" + nist_800_171_rev_2 = "true" soc_2 = "true" }) } @@ -31,6 +32,7 @@ control "lambda_function_in_vpc" { ffiec = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" @@ -49,6 +51,7 @@ control "lambda_function_restrict_public_access" { ffiec = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" diff --git a/conformance_pack/rds.sp b/conformance_pack/rds.sp index 37da7b83..235a5c51 100644 --- a/conformance_pack/rds.sp +++ b/conformance_pack/rds.sp @@ -15,6 +15,7 @@ control "rds_db_instance_backup_enabled" { ffiec = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" @@ -52,6 +53,7 @@ control "rds_db_instance_multiple_az_enabled" { ffiec = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" @@ -70,6 +72,7 @@ control "rds_db_instance_prohibit_public_access" { ffiec = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" @@ -89,6 +92,7 @@ control "rds_db_snapshot_encrypted_at_rest" { gdpr = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" rbi_cyber_security = "true" @@ -107,6 +111,7 @@ control "rds_db_snapshot_prohibit_public_access" { ffiec = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" @@ -125,6 +130,7 @@ control "rds_db_instance_logging_enabled" { ffiec = "true" gdpr = "true" gxp_21_cfr_part_11 = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" rbi_cyber_security = "true" @@ -159,6 +165,7 @@ control "rds_db_instance_and_cluster_enhanced_monitoring_enabled" { fedramp_low_rev_4 = "true" fedramp_moderate_rev_4 = "true" ffiec = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" }) @@ -174,6 +181,7 @@ control "rds_db_instance_deletion_protection_enabled" { fedramp_moderate_rev_4 = "true" ffiec = "true" gxp_21_cfr_part_11 = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" soc_2 = "true" @@ -186,7 +194,18 @@ control "rds_db_instance_iam_authentication_enabled" { sql = query.rds_db_instance_iam_authentication_enabled.sql tags = merge(local.conformance_pack_rds_common_tags, { - soc_2 = "true" + nist_800_171_rev_2 = "true" + soc_2 = "true" + }) +} + +control "rds_db_cluster_iam_authentication_enabled" { + title = "IAM authentication should be configured for RDS clusters" + description = "Checks if an Amazon RDS Cluster has AWS Identity and Access Management (IAM) authentication enabled. The rule is NON_COMPLIANT if an RDS Cluster does not have IAM authentication enabled." + sql = query.rds_db_cluster_iam_authentication_enabled.sql + + tags = merge(local.conformance_pack_rds_common_tags, { + nist_800_171_rev_2 = "true" }) } @@ -215,6 +234,7 @@ control "rds_db_instance_protected_by_backup_plan" { fedramp_moderate_rev_4 = "true" ffiec = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" soc_2 = "true" @@ -232,6 +252,17 @@ control "rds_db_instance_automatic_minor_version_upgrade_enabled" { }) } +control "rds_db_cluster_deletion_protection_enabled" { + title = "RDS clusters should have deletion protection enabled" + description = "This control checks whether RDS clusters have deletion protection enabled. This control is intended for RDS DB instances. However, it can also generate findings for Aurora DB instances, Neptune DB instances, and Amazon DocumentDB clusters. If these findings are not useful,then you can suppress them." + severity = "low" + sql = query.rds_db_cluster_deletion_protection_enabled.sql + + tags = merge(local.conformance_pack_rds_common_tags, { + nist_800_171_rev_2 = "true" + }) +} + control "rds_db_instance_cloudwatch_logs_enabled" { title = "RDS DB instances should be integrated with CloudWatch logs" description = "Use Amazon CloudWatch to centrally collect and manage RDS DB instance activity." diff --git a/conformance_pack/redshift.sp b/conformance_pack/redshift.sp index 6e3e4af4..2105206e 100644 --- a/conformance_pack/redshift.sp +++ b/conformance_pack/redshift.sp @@ -16,6 +16,7 @@ control "redshift_cluster_encryption_in_transit_enabled" { gdpr = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" @@ -54,6 +55,7 @@ control "redshift_cluster_prohibit_public_access" { ffiec = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" @@ -116,6 +118,7 @@ control "redshift_cluster_enhanced_vpc_routing_enabled" { tags = merge(local.conformance_pack_redshift_common_tags, { ffiec = "true" gxp_21_cfr_part_11 = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_5 = "true" }) } diff --git a/conformance_pack/s3.sp b/conformance_pack/s3.sp index b5557248..973c847d 100644 --- a/conformance_pack/s3.sp +++ b/conformance_pack/s3.sp @@ -34,6 +34,7 @@ control "s3_bucket_default_encryption_enabled" { gdpr = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" @@ -53,6 +54,7 @@ control "s3_bucket_enforces_ssl" { gdpr = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" @@ -71,6 +73,7 @@ control "s3_bucket_logging_enabled" { ffiec = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" @@ -89,6 +92,7 @@ control "s3_bucket_object_lock_enabled" { ffiec = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_csf = "true" soc_2 = "true" }) @@ -106,6 +110,7 @@ control "s3_bucket_restrict_public_read_access" { ffiec = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" @@ -126,6 +131,7 @@ control "s3_bucket_restrict_public_write_access" { ffiec = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" @@ -145,6 +151,7 @@ control "s3_bucket_versioning_enabled" { ffiec = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" @@ -164,6 +171,7 @@ control "s3_public_access_block_account" { ffiec = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" @@ -180,6 +188,7 @@ control "s3_public_access_block_bucket_account" { fedramp_moderate_rev_4 = "true" ffiec = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_csf = "true" rbi_cyber_security = "true" @@ -198,6 +207,7 @@ control "s3_bucket_default_encryption_enabled_kms" { gdpr = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_5 = "true" rbi_cyber_security = "true" }) @@ -216,6 +226,17 @@ control "s3_public_access_block_bucket" { }) } +control "s3_bucket_policy_restricts_cross_account_permission_changes" { + title = "Amazon S3 permissions granted to other AWS accounts in bucket policies should be restricted" + description = "This control checks whether the S3 bucket policy prevents principals from other AWS accounts from performing denied actions on resources in the S3 bucket." + severity = "high" + sql = query.s3_bucket_policy_restricts_cross_account_permission_changes.sql + + tags = merge(local.conformance_pack_s3_common_tags, { + nist_800_171_rev_2 = "true" + }) +} + control "s3_bucket_object_logging_enabled" { title = "S3 buckets object logging should be enabled" description = "Object-Level logging saves events in JSON format in CloudTrail. This is recommended from a security best practice perspective for buckets that contain sensitive data." diff --git a/conformance_pack/sagemaker.sp b/conformance_pack/sagemaker.sp index e86593c7..661b513e 100644 --- a/conformance_pack/sagemaker.sp +++ b/conformance_pack/sagemaker.sp @@ -15,6 +15,7 @@ control "sagemaker_notebook_instance_direct_internet_access_disabled" { ffiec = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" @@ -51,6 +52,7 @@ control "sagemaker_endpoint_configuration_encryption_at_rest_enabled" { gdpr = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" diff --git a/conformance_pack/securityhub.sp b/conformance_pack/securityhub.sp index 7930b1db..72ef683d 100644 --- a/conformance_pack/securityhub.sp +++ b/conformance_pack/securityhub.sp @@ -15,6 +15,7 @@ control "securityhub_enabled" { ffiec = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" diff --git a/conformance_pack/sns.sp b/conformance_pack/sns.sp index a2da4887..fb7f1364 100644 --- a/conformance_pack/sns.sp +++ b/conformance_pack/sns.sp @@ -15,6 +15,7 @@ control "sns_topic_encrypted_at_rest" { gdpr = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" diff --git a/conformance_pack/ssm.sp b/conformance_pack/ssm.sp index 3631065b..93073088 100644 --- a/conformance_pack/ssm.sp +++ b/conformance_pack/ssm.sp @@ -15,6 +15,7 @@ control "ec2_instance_ssm_managed" { ffiec = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" @@ -34,6 +35,7 @@ control "ssm_managed_instance_compliance_association_compliant" { ffiec = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" @@ -53,6 +55,7 @@ control "ssm_managed_instance_compliance_patch_compliant" { ffiec = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" rbi_cyber_security = "true" diff --git a/conformance_pack/vpc.sp b/conformance_pack/vpc.sp index ecdc46c4..b09fe7e4 100644 --- a/conformance_pack/vpc.sp +++ b/conformance_pack/vpc.sp @@ -16,6 +16,7 @@ control "vpc_flow_logs_enabled" { gdpr = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" @@ -32,6 +33,7 @@ control "vpc_igw_attached_to_authorized_vpc" { tags = merge(local.conformance_pack_vpc_common_tags, { gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_csf = "true" rbi_cyber_security = "true" @@ -49,6 +51,7 @@ control "vpc_security_group_restrict_ingress_tcp_udp_all" { ffiec = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" @@ -68,6 +71,7 @@ control "vpc_security_group_restrict_ingress_common_ports_all" { ffiec = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" @@ -87,6 +91,7 @@ control "vpc_security_group_restrict_ingress_ssh_all" { ffiec = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" @@ -105,6 +110,7 @@ control "vpc_default_security_group_restricts_all_traffic" { fedramp_moderate_rev_4 = "true" ffiec = "true" gxp_21_cfr_part_11 = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" @@ -134,8 +140,9 @@ control "vpc_eip_associated" { sql = query.vpc_eip_associated.sql tags = merge(local.conformance_pack_vpc_common_tags, { - ffiec = "true" - nist_csf = "true" + ffiec = "true" + nist_800_171_rev_2 = "true" + nist_csf = "true" }) } @@ -145,7 +152,8 @@ control "vpc_security_group_associated_to_eni" { sql = query.vpc_security_group_associated_to_eni.sql tags = merge(local.conformance_pack_vpc_common_tags, { - nist_csf = "true" + nist_800_171_rev_2 = "true" + nist_csf = "true" }) } @@ -159,6 +167,7 @@ control "vpc_subnet_auto_assign_public_ip_disabled" { fedramp_moderate_rev_4 = "true" ffiec = "true" gxp_21_cfr_part_11 = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" rbi_cyber_security = "true" @@ -175,11 +184,22 @@ control "vpc_route_table_restrict_public_access_to_igw" { fedramp_moderate_rev_4 = "true" ffiec = "true" gxp_21_cfr_part_11 = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_5 = "true" rbi_cyber_security = "true" }) } +control "vpc_security_group_restricted_common_ports" { + title = "Security groups should not allow unrestricted access to ports with high risk" + description = "This control checks whether unrestricted incoming traffic for the security groups is accessible to the specified ports that have the highest risk. This control passes when none of the rules in a security group allow ingress traffic from 0.0.0.0/0 for those ports." + sql = query.vpc_security_group_restricted_common_ports.sql + + tags = merge(local.conformance_pack_vpc_common_tags, { + nist_800_171_rev_2 = "true" + }) +} + control "vpc_security_group_restrict_ingress_redis_port" { title = "VPC security groups should restrict ingress redis access from 0.0.0.0/0" description = "Amazon VPC security groups can help in managing network access by providing stateful filtering of ingress and egress network traffic to AWS resources." diff --git a/conformance_pack/wafv2.sp b/conformance_pack/wafv2.sp index e096b224..7fa6826c 100644 --- a/conformance_pack/wafv2.sp +++ b/conformance_pack/wafv2.sp @@ -16,6 +16,7 @@ control "wafv2_web_acl_logging_enabled" { gdpr = "true" gxp_21_cfr_part_11 = "true" hipaa = "true" + nist_800_171_rev_2 = "true" nist_800_53_rev_4 = "true" nist_800_53_rev_5 = "true" nist_csf = "true" diff --git a/docs/index.md b/docs/index.md index 7dbda239..6200b64e 100644 --- a/docs/index.md +++ b/docs/index.md @@ -34,6 +34,8 @@ Run individual configuration, compliance and security controls or full complianc [NIST CSF](https://www.nist.gov/cyberframework) provides security standards for managing and reducing cybersecurity risk. +[NIST 800-171](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final) provides minimum baselines of security controls for protecting the confidentiality of Controlled Unclassified Information (CUI) in nonfederal systems and organizations, and recommends specific security requirements to achieve that objective. + [PCI DSS](https://www.pcisecuritystandards.org) provides security standards for the payment card industry. [RBI Cyber Security Framework](https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=11397) provides a cyber security framework for Urban Cooperative Banks (UCB) in India. diff --git a/foundational_security/rds.sp b/foundational_security/rds.sp index 045eb43e..91d06bea 100644 --- a/foundational_security/rds.sp +++ b/foundational_security/rds.sp @@ -235,10 +235,10 @@ control "foundational_security_rds_16" { } control "foundational_security_rds_17" { - title = "17 RDS DB instances should be configured to copy tags to snapshots" - description = "This control checks whether RDS DB instances are configured to copy all tags to snapshots when the snapshots are created." - severity = "low" - sql = query.rds_db_instance_copy_tags_to_snapshot_enabled.sql + title = "17 RDS DB instances should be configured to copy tags to snapshots" + description = "This control checks whether RDS DB instances are configured to copy all tags to snapshots when the snapshots are created." + severity = "low" + sql = query.rds_db_instance_copy_tags_to_snapshot_enabled.sql #documentation = file("./foundational_security/docs/foundational_security_rds_17.md") tags = merge(local.foundational_security_rds_common_tags, { @@ -349,4 +349,4 @@ control "foundational_security_rds_25" { foundational_security_item_id = "rds_25" foundational_security_category = "resource_configuration" }) -} \ No newline at end of file +} diff --git a/nist_800_171_rev_2/ac.sp b/nist_800_171_rev_2/ac.sp new file mode 100644 index 00000000..5f0238b6 --- /dev/null +++ b/nist_800_171_rev_2/ac.sp @@ -0,0 +1,277 @@ +benchmark "nist_800_171_rev_2_3_1" { + title = "3.1 Access Control" + description = "The access control family consists of security requirements detailing system logging. This includes who has access to what assets and reporting capabilities like account management, system privileges, and remote access logging to determine when users have access to the system and their level of access." + children = [ + benchmark.nist_800_171_rev_2_3_1_1, + benchmark.nist_800_171_rev_2_3_1_2, + benchmark.nist_800_171_rev_2_3_1_3, + benchmark.nist_800_171_rev_2_3_1_4, + benchmark.nist_800_171_rev_2_3_1_5, + benchmark.nist_800_171_rev_2_3_1_6, + benchmark.nist_800_171_rev_2_3_1_7, + benchmark.nist_800_171_rev_2_3_1_12, + benchmark.nist_800_171_rev_2_3_1_13, + benchmark.nist_800_171_rev_2_3_1_14, + benchmark.nist_800_171_rev_2_3_1_20 + ] + + tags = local.nist_800_171_rev_2_common_tags +} + +benchmark "nist_800_171_rev_2_3_1_1" { + title = "3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems)" + description = "Access control policies (e.g., identity or role-based policies, control matrices, and cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, and domains) in systems. Access enforcement mechanisms can be employed at the application and service level to provide increased information security. Other systems include systems internal and external to the organization. This requirement focuses on account management for systems and applications. The definition of and enforcement of access authorizations, other than those determined by account type (e.g., privileged verses non-privileged) are addressed in requirement 3.1.2." + children = [ + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_iam_profile_attached, + control.ec2_instance_in_vpc, + control.ec2_instance_not_publicly_accessible, + control.ecs_task_definition_user_for_host_mode_check, + control.eks_cluster_endpoint_restrict_public_access, + control.emr_cluster_kerberos_enabled, + control.emr_cluster_master_nodes_no_public_ip, + control.es_domain_in_vpc, + control.iam_policy_no_star_star, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.iam_root_user_no_access_keys, + control.iam_user_console_access_mfa_enabled, + control.iam_user_in_group, + control.iam_user_mfa_enabled, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.lambda_function_in_vpc, + control.lambda_function_restrict_public_access, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_enhanced_vpc_routing_enabled, + control.redshift_cluster_prohibit_public_access, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_default_security_group_restricts_all_traffic, + control.vpc_igw_attached_to_authorized_vpc, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.vpc_security_group_restrict_ingress_ssh_all, + control.vpc_security_group_restrict_ingress_tcp_udp_all, + control.vpc_subnet_auto_assign_public_ip_disabled + ] + + tags = local.nist_800_171_rev_2_common_tags +} + +benchmark "nist_800_171_rev_2_3_1_2" { + title = "3.1.2 Limit system access to the types of transactions and functions that authorized users are permitted to execute" + description = "Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. System account types include individual, shared, group, system, anonymous, guest, emergency, developer, manufacturer, vendor, and temporary. Other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-oforigin. In defining other account attributes, organizations consider system-related requirements (e.g., system upgrades scheduled maintenance,) and mission or business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements)." + children = [ + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_iam_profile_attached, + control.ec2_instance_in_vpc, + control.ec2_instance_not_publicly_accessible, + control.ecs_task_definition_user_for_host_mode_check, + control.eks_cluster_endpoint_restrict_public_access, + control.emr_cluster_kerberos_enabled, + control.emr_cluster_master_nodes_no_public_ip, + control.es_domain_in_vpc, + control.iam_policy_no_star_star, + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.iam_root_user_no_access_keys, + control.iam_user_console_access_mfa_enabled, + control.iam_user_in_group, + control.iam_user_mfa_enabled, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.lambda_function_in_vpc, + control.lambda_function_restrict_public_access, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_enhanced_vpc_routing_enabled, + control.redshift_cluster_prohibit_public_access, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_default_security_group_restricts_all_traffic, + control.vpc_igw_attached_to_authorized_vpc, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.vpc_security_group_restrict_ingress_ssh_all, + control.vpc_security_group_restrict_ingress_tcp_udp_all, + control.vpc_subnet_auto_assign_public_ip_disabled + ] + + tags = local.nist_800_171_rev_2_common_tags +} + +benchmark "nist_800_171_rev_2_3_1_3" { + title = "3.1.3 Control the flow of CUI in accordance with approved authorizations" + description = "Information flow control regulates where information can travel within a system and between systems (versus who can access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include the following: keeping exportcontrolled information from being transmitted in the clear to the Internet; blocking outside traffic that claims to be from within the organization; restricting requests to the Internet that are not from the internal web proxy server; and limiting information transfers between organizations based on data structures and content. Organizations commonly use information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within systems and between interconnected systems. Flow control is based on characteristics of the information or the information path. Enforcement occurs in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict system services, provide a packetfiltering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Transferring information between systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners or stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes: prohibiting information transfers between interconnected systems (i.e., allowing access only); employing hardware mechanisms to enforce one-way information flows; and implementing trustworthy regrading mechanisms to reassign security attributes and security labels." + children = [ + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_in_vpc, + control.ec2_instance_not_publicly_accessible, + control.eks_cluster_endpoint_restrict_public_access, + control.emr_cluster_master_nodes_no_public_ip, + control.es_domain_in_vpc, + control.lambda_function_in_vpc, + control.lambda_function_restrict_public_access, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_default_security_group_restricts_all_traffic, + control.vpc_route_table_restrict_public_access_to_igw, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.vpc_security_group_restrict_ingress_ssh_all, + control.vpc_security_group_restrict_ingress_tcp_udp_all + ] + + tags = local.nist_800_171_rev_2_common_tags +} + +benchmark "nist_800_171_rev_2_3_1_4" { + title = "3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion" + description = "Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission functions and system support functions among different individuals or roles; conducting system support functions with different individuals (e.g., configuration management, quality assurance and testing, system management, programming, and network security); and ensuring that security personnel administering access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of organizational systems and system components when developing policy on separation of duties." + children = [ + control.ecs_task_definition_user_for_host_mode_check, + control.emr_cluster_kerberos_enabled, + control.iam_policy_custom_no_blocked_kms_actions, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys, + control.iam_user_in_group, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.rds_db_cluster_iam_authentication_enabled, + control.rds_db_instance_iam_authentication_enabled + ] + + tags = local.nist_800_171_rev_2_common_tags +} + +benchmark "nist_800_171_rev_2_3_1_5" { + title = "3.1.5 Employ the principle of least privilege, including for specific security functions and privileged accounts" + description = "Organizations employ the principle of least privilege for specific duties and authorized accesses for users and processes. The principle of least privilege is applied with the goal of authorized privileges no higher than necessary to accomplish required organizational missions or business functions. Organizations consider the creation of additional processes, roles, and system accounts as necessary, to achieve least privilege. Organizations also apply least privilege to the development, implementation, and operation of organizational systems. Security functions include establishing system accounts, setting events to be logged, setting intrusion detection parameters, and configuring access authorizations (i.e., permissions, privileges). Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from having access to privileged information or functions. Organizations may differentiate in the application of this requirement between allowed privileges for local accounts and for domain accounts provided organizations retain the ability to control system configurations for key security parameters and as otherwise necessary to sufficiently mitigate risk." + children = [ + control.ecs_task_definition_user_for_host_mode_check, + control.emr_cluster_kerberos_enabled, + control.iam_policy_custom_no_blocked_kms_actions, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys, + control.iam_user_in_group, + control.iam_user_no_inline_attached_policies, + control.iam_user_unused_credentials_90, + control.rds_db_cluster_iam_authentication_enabled, + control.rds_db_instance_iam_authentication_enabled, + control.s3_bucket_policy_restricts_cross_account_permission_changes + ] + + tags = local.nist_800_171_rev_2_common_tags +} + +benchmark "nist_800_171_rev_2_3_1_6" { + title = "3.1.6 Use non-privileged accounts or roles when accessing nonsecurity functions" + description = "This requirement limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies such as role-based access control and where a change of role provides the same degree of assurance in the change of access authorizations for the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account." + children = [ + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys + ] + + tags = local.nist_800_171_rev_2_common_tags +} + +benchmark "nist_800_171_rev_2_3_1_7" { + title = "3.1.7 Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs" + description = "Privileged functions include establishing system accounts, performing system integrity checks, conducting patching operations, or administering cryptographic key management activities. Nonprivileged users are individuals that do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users. Note that this requirement represents a condition to be achieved by the definition of authorized privileges in 3.1.2. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Logging the use of privileged functions is one way to detect such misuse, and in doing so, help mitigate the risk from insider threats and the advanced persistent threat." + children = [ + control.emr_cluster_kerberos_enabled, + control.iam_group_not_empty, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys, + control.iam_user_in_group + ] + + tags = local.nist_800_171_rev_2_common_tags +} + +benchmark "nist_800_171_rev_2_3_1_12" { + title = "3.1.12 Monitor and control remote access sessions" + description = "Remote access is access to organizational systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate control (e.g., employing encryption techniques for confidentiality protection), may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. VPNs with encrypted tunnels can affect the capability to adequately monitor network communications traffic for malicious code. Automated monitoring and control of remote access sessions allows organizations to detect cyberattacks and help to ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of system components (e.g., servers, workstations, notebook computers, smart phones, and tablets)." + children = [ + control.apigateway_stage_logging_enabled, + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.elb_application_classic_lb_logging_enabled, + control.guardduty_enabled, + control.rds_db_instance_logging_enabled, + control.s3_bucket_logging_enabled, + control.securityhub_enabled, + control.wafv2_web_acl_logging_enabled + ] + + tags = local.nist_800_171_rev_2_common_tags +} + +benchmark "nist_800_171_rev_2_3_1_13" { + title = "3.1.13 Employ cryptographic mechanisms to protect the confidentiality of remote access sessions" + description = "Cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography." + children = [ + control.elb_application_lb_redirect_http_request_to_https, + control.elb_classic_lb_use_ssl_certificate, + control.elb_classic_lb_use_tls_https_listeners, + control.redshift_cluster_encryption_in_transit_enabled, + control.s3_bucket_enforces_ssl + ] + + tags = local.nist_800_171_rev_2_common_tags +} + +benchmark "nist_800_171_rev_2_3_1_14" { + title = "3.1.14 Route remote access via managed access control points" + description = "Routing remote access through managed access control points enhances explicit, organizational control over such connections, reducing the susceptibility to unauthorized access to organizational systems resulting in the unauthorized disclosure of CUI." + children = [ + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_in_vpc, + control.ec2_instance_not_publicly_accessible, + control.emr_cluster_kerberos_enabled, + control.es_domain_in_vpc, + control.iam_user_console_access_mfa_enabled, + control.lambda_function_in_vpc, + control.lambda_function_restrict_public_access, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.s3_public_access_block_account, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_default_security_group_restricts_all_traffic, + control.vpc_igw_attached_to_authorized_vpc, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.vpc_security_group_restrict_ingress_ssh_all, + control.vpc_security_group_restrict_ingress_tcp_udp_all + ] + + tags = local.nist_800_171_rev_2_common_tags +} + +benchmark "nist_800_171_rev_2_3_1_20" { + title = "3.1.20 Verify and control/limit connections to and use of external systems" + description = "External systems are systems or components of systems for which organizations typically have no direct supervision and authority over the application of security requirements and controls or the determination of the effectiveness of implemented controls on those systems. External systems include personally owned systems, components, or devices and privately-owned computing and communications devices resident in commercial or public facilities. This requirement also addresses the use of external systems for the processing, storage, or transmission of CUI, including accessing cloud services (e.g., infrastructure as a service, platform as a service, or software as a service) from organizational systems. Organizations establish terms and conditions for the use of external systems in accordance with organizational security policies and procedures. Terms and conditions address as a minimum, the types of applications that can be accessed on organizational systems from external systems. If terms and conditions with the owners of external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems. This requirement recognizes that there are circumstances where individuals using external systems (e.g., contractors, coalition partners) need to access organizational systems. In those situations, organizations need confidence that the external systems contain the necessary controls so as not to compromise, damage, or otherwise harm organizational systems. Verification that the required controls have been effectively implemented can be achieved by third-party, independent assessments, attestations, or other means, depending on the assurance or confidence level required by organizations. Note that while “external” typically refers to outside of the organization's direct supervision and authority, that is not always the case. Regarding the protection of CUI across an organization, the organization may have systems that process CUI and others that do not. And among the systems that process CUI there are likely access restrictions for CUI that apply between systems. Therefore, from the perspective of a given system, other systems within the organization may be considered 'external' to that system." + children = [ + control.s3_public_access_block_account, + control.vpc_default_security_group_restricts_all_traffic, + control.vpc_igw_attached_to_authorized_vpc, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.vpc_security_group_restrict_ingress_ssh_all, + control.vpc_security_group_restrict_ingress_tcp_udp_all + ] + + tags = local.nist_800_171_rev_2_common_tags +} diff --git a/nist_800_171_rev_2/au.sp b/nist_800_171_rev_2/au.sp new file mode 100644 index 00000000..58b8511f --- /dev/null +++ b/nist_800_171_rev_2/au.sp @@ -0,0 +1,116 @@ +benchmark "nist_800_171_rev_2_3_3" { + title = "3.3 Audit and Accountability" + description = "The AU control family consists of security controls related to an organization’s audit capabilities. This includes audit policies and procedures, audit logging, audit report generation, and protection of audit information." + children = [ + benchmark.nist_800_171_rev_2_3_3_1, + benchmark.nist_800_171_rev_2_3_3_2, + benchmark.nist_800_171_rev_2_3_3_3, + benchmark.nist_800_171_rev_2_3_3_4, + benchmark.nist_800_171_rev_2_3_3_5, + benchmark.nist_800_171_rev_2_3_3_8 + ] + + tags = local.nist_800_171_rev_2_common_tags +} + + +benchmark "nist_800_171_rev_2_3_3_1" { + title = "3.3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity" + description = "An event is any observable occurrence in a system, which includes unlawful or unauthorized system activity. Organizations identify event types for which a logging functionality is needed as those events which are significant and relevant to the security of systems and the environments in which those systems operate to meet specific and ongoing auditing needs. Event types can include password changes, failed logons or failed accesses related to systems, administrative privilege usage, or third-party credential usage. In determining event types that require logging, organizations consider the monitoring and auditing appropriate for each of the CUI security requirements. Monitoring and auditing requirements can be balanced with other system needs. For example, organizations may determine that systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit logging capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of event types, the logging necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented or cloudbased architectures. Audit record content that may be necessary to satisfy this requirement includes time stamps, source and destination addresses, user or process identifiers, event descriptions, success or fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the system after the event occurred). Detailed information that organizations may consider in audit records includes full text recording of privileged commands or the individual identities of group account users. Organizations consider limiting the additional audit log information to only that information explicitly needed for specific audit requirements. This facilitates the use of audit trails and audit logs by not including information that could potentially be misleading or could make it more difficult to locate information of interest. Audit logs are reviewed and analyzed as often as needed to provide important information to organizations to facilitate risk-based decision making." + children = [ + control.apigateway_stage_logging_enabled, + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudwatch_log_group_retention_period_365, + control.elb_application_classic_lb_logging_enabled, + control.guardduty_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_in_transit_enabled, + control.s3_bucket_logging_enabled, + control.securityhub_enabled, + control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled + ] + + tags = local.nist_800_171_rev_2_common_tags +} + +benchmark "nist_800_171_rev_2_3_3_2" { + title = "3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions" + description = "This requirement ensures that the contents of the audit record include the information needed to link the audit event to the actions of an individual to the extent feasible. Organizations consider logging for traceability including results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, communications at system boundaries, configuration settings, physical access, nonlocal maintenance, use of maintenance tools, temperature and humidity, equipment delivery and removal, system component inventory, use of mobile code, and use of Voice over Internet Protocol (VoIP)." + children = [ + control.apigateway_stage_logging_enabled, + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.guardduty_enabled, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_in_transit_enabled, + control.s3_bucket_logging_enabled + ] + + tags = local.nist_800_171_rev_2_common_tags +} + +benchmark "nist_800_171_rev_2_3_3_3" { + title = "3.3.3 Review and update logged events" + description = "The intent of this requirement is to periodically re-evaluate which logged events will continue to be included in the list of events to be logged. The event types that are logged by organizations may change over time. Reviewing and updating the set of logged event types periodically is necessary to ensure that the current set remains necessary and sufficient." + children = [ + control.apigateway_stage_logging_enabled, + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.rds_db_instance_logging_enabled, + control.redshift_cluster_encryption_in_transit_enabled, + control.s3_bucket_logging_enabled, + control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled + ] + + tags = local.nist_800_171_rev_2_common_tags +} + +benchmark "nist_800_171_rev_2_3_3_4" { + title = "3.3.4 Alert in the event of an audit logging process failure" + description = "Audit logging process failures include software and hardware errors, failures in the audit record capturing mechanisms, and audit record storage capacity being reached or exceeded. This requirement applies to each audit record data storage repository (i.e., distinct system component where audit records are stored), the total audit record storage capacity of organizations (i.e., all audit record data storage repositories combined), or both." + children = [ + control.guardduty_enabled, + control.securityhub_enabled + ] + + tags = local.nist_800_171_rev_2_common_tags +} + +benchmark "nist_800_171_rev_2_3_3_5" { + title = "3.3.5 Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity" + description = "Correlating audit record review, analysis, and reporting processes helps to ensure that they do not operate independently, but rather collectively. Regarding the assessment of a given organizational system, the requirement is agnostic as to whether this correlation is applied at the system level or at the organization level across all systems." + children = [ + control.cloudtrail_trail_integrated_with_logs, + control.guardduty_enabled, + control.securityhub_enabled + ] + + tags = local.nist_800_171_rev_2_common_tags +} + +benchmark "nist_800_171_rev_2_3_3_8" { + title = "3.3.8 Protect audit information and audit logging tools from unauthorized access, modification, and deletion" + description = "Audit information includes all information (e.g., audit records, audit log settings, and audit reports) needed to successfully audit system activity. Audit logging tools are those programs and devices used to conduct audit and logging activities. This requirement focuses on the technical protection of audit information and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by media protection and physical and environmental protection requirements." + children = [ + control.cloudtrail_trail_logs_encrypted_with_kms_cmk, + control.cloudtrail_trail_validation_enabled, + control.log_group_encryption_at_rest_enabled, + control.s3_bucket_default_encryption_enabled, + control.s3_bucket_object_lock_enabled, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_bucket_versioning_enabled, + control.s3_public_access_block_account + ] + + tags = local.nist_800_171_rev_2_common_tags +} diff --git a/nist_800_171_rev_2/ca.sp b/nist_800_171_rev_2/ca.sp new file mode 100644 index 00000000..9bc6dfa2 --- /dev/null +++ b/nist_800_171_rev_2/ca.sp @@ -0,0 +1,25 @@ +benchmark "nist_800_171_rev_2_3_12" { + title = "3.12 Assessment, Authorization, and Monitoring" + description = "The Security Assessment and Authorization control family includes controls that supplement the execution of security assessments, authorizations, continuous monitoring, plan of actions and milestones, and system interconnections." + children = [ + benchmark.nist_800_171_rev_2_3_12_4 + ] + + tags = local.nist_800_171_rev_2_common_tags +} + +benchmark "nist_800_171_rev_2_3_12_4" { + title = "3.12.4 Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems" + description = "System security plans relate security requirements to a set of security controls. System security plans also describe, at a high level, how the security controls meet those security requirements, but do not provide detailed, technical descriptions of the design or implementation of the controls. System security plans contain sufficient information to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk if the plan is implemented as intended. Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. Federal agencies may consider the submitted system security plans and plans of action as critical inputs to an overall risk management decision to process, store, or transmit CUI on a system hosted by a nonfederal organization and whether it is advisable to pursue an agreement or contract with the nonfederal organization." + children = [ + control.cloudtrail_trail_integrated_with_logs, + control.cloudwatch_alarm_action_enabled, + control.ec2_instance_detailed_monitoring_enabled, + control.guardduty_enabled, + control.rds_db_instance_and_cluster_enhanced_monitoring_enabled, + control.securityhub_enabled + ] + + tags = local.nist_800_171_rev_2_common_tags +} + diff --git a/nist_800_171_rev_2/cm.sp b/nist_800_171_rev_2/cm.sp new file mode 100644 index 00000000..a1e00661 --- /dev/null +++ b/nist_800_171_rev_2/cm.sp @@ -0,0 +1,94 @@ +benchmark "nist_800_171_rev_2_3_4" { + title = "3.4 Configuration Management" + description = "CM controls are specific to an organization's configuration management policies. This includes a baseline configuration to operate as the basis for future builds or changes to information systems. Additionally, this includes information system component inventories and a security impact analysis control." + children = [ + benchmark.nist_800_171_rev_2_3_4_1, + benchmark.nist_800_171_rev_2_3_4_2, + benchmark.nist_800_171_rev_2_3_4_6, + benchmark.nist_800_171_rev_2_3_4_7, + benchmark.nist_800_171_rev_2_3_4_9 + ] + + tags = local.nist_800_171_rev_2_common_tags +} + +benchmark "nist_800_171_rev_2_3_4_1" { + title = "3.4.1 Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles" + description = "Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and changes to systems. Baseline configurations include information about system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and update and patch information on operating systems and applications; and configuration settings and parameters), network topology, and the logical placement of those components within the system architecture. Baseline configurations of systems also reflect the current enterprise architecture. Maintaining effective baseline configurations requires creating new baselines as organizational systems change over time. Baseline configuration maintenance includes reviewing and updating the baseline configuration when changes are made based on security risks and deviations from the established baseline configuration Organizations can implement centralized system component inventories that include components from multiple organizational systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., system association, system owner). Information deemed necessary for effective accountability of system components includes hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include manufacturer, device type, model, serial number, and physical location." + children = [ + control.cloudtrail_security_trail_enabled, + control.ebs_volume_unused, + control.ec2_instance_ssm_managed, + control.ec2_stopped_instance_30_days, + control.elb_application_lb_deletion_protection_enabled, + control.ssm_managed_instance_compliance_association_compliant, + control.vpc_eip_associated, + control.vpc_security_group_associated_to_eni, + control.vpc_security_group_restricted_common_ports + ] + + tags = local.nist_800_171_rev_2_common_tags +} + +benchmark "nist_800_171_rev_2_3_4_2" { + title = "3.4.2 Establish and enforce security configuration settings for information technology products employed in organizational systems" + description = "Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture or functionality of the system. Information technology products for which security-related configuration settings can be defined include mainframe computers, servers, workstations, input and output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security parameters are those parameters impacting the security state of systems including the parameters required to satisfy other security requirements. Security parameters include: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the systems configuration baseline. Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors." + children = [ + control.ebs_volume_unused, + control.ec2_instance_ssm_managed, + control.ec2_stopped_instance_30_days, + control.ssm_managed_instance_compliance_association_compliant, + control.vpc_security_group_associated_to_eni + ] + + tags = local.nist_800_171_rev_2_common_tags +} + +benchmark "nist_800_171_rev_2_3_4_6" { + title = "3.4.6 Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities" + description = "Systems can provide a wide variety of functions and services. Some of the functions and services routinely provided by default, may not be necessary to support essential organizational missions, functions, or operations. It is sometimes convenient to provide multiple services from single system components. However, doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per component. Organizations review functions and services provided by systems or components of systems, to determine which functions and services are candidates for elimination. Organizations disable unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of devices, transfer of information, and tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services." + children = [ + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ebs_volume_unused, + control.ec2_instance_ssm_managed, + control.iam_group_user_role_no_inline_policies, + control.iam_policy_no_star_star, + control.iam_root_user_no_access_keys, + control.iam_user_no_inline_attached_policies, + control.lambda_function_restrict_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_prohibit_public_access, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.ssm_managed_instance_compliance_association_compliant, + control.vpc_default_security_group_restricts_all_traffic + ] + + tags = local.nist_800_171_rev_2_common_tags +} + +benchmark "nist_800_171_rev_2_3_4_7" { + title = "3.4.7 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services" + description = "Restricting the use of nonessential software (programs) includes restricting the roles allowed to approve program execution; prohibiting auto-execute; program blacklisting and whitelisting; or restricting the number of program instances executed at the same time. The organization makes a security-based determination which functions, ports, protocols, and/or services are restricted. Bluetooth, File Transfer Protocol (FTP), and peer-to-peer networking are examples of protocols organizations consider preventing the use of, restricting, or disabling." + children = [ + control.vpc_default_security_group_restricts_all_traffic, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.vpc_security_group_restrict_ingress_ssh_all, + control.vpc_security_group_restrict_ingress_tcp_udp_all + ] + + tags = local.nist_800_171_rev_2_common_tags +} + +benchmark "nist_800_171_rev_2_3_4_9" { + title = "3.4.9 Control and monitor user-installed software" + description = "Users can install software in organizational systems if provided the necessary privileges. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation through policies. Permitted software installations include updates and security patches to existing software and applications from organization-approved 'app stores.' Prohibited software installations may include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods, automated methods, or both." + children = [ + control.ec2_instance_ssm_managed, + control.ssm_managed_instance_compliance_association_compliant + ] + + tags = local.nist_800_171_rev_2_common_tags +} diff --git a/nist_800_171_rev_2/docs/nist_800_171_rev_2_overview.md b/nist_800_171_rev_2/docs/nist_800_171_rev_2_overview.md new file mode 100644 index 00000000..e31d47b1 --- /dev/null +++ b/nist_800_171_rev_2/docs/nist_800_171_rev_2_overview.md @@ -0,0 +1,5 @@ +To obtain the latest version of the official guide, please visit https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final. + +## Overview + +NIST SP 800-171 focuses on protecting the confidentiality of Controlled Unclassified Information (CUI) in nonfederal systems and organizations, and recommends specific security requirements to achieve that objective. NIST 800-171 is a publication that outlines the required security standards and practices for non-federal organizations that handle CUI on their networks. diff --git a/nist_800_171_rev_2/ia.sp b/nist_800_171_rev_2/ia.sp new file mode 100644 index 00000000..b019b0dd --- /dev/null +++ b/nist_800_171_rev_2/ia.sp @@ -0,0 +1,110 @@ +benchmark "nist_800_171_rev_2_3_5" { + title = "3.5 Identification and Authentication" + description = "IA controls are specific to the identification and authentication policies in an organization. This includes the identification and authentication of organizational and non-organizational users and how the management of those systems." + children = [ + benchmark.nist_800_171_rev_2_3_5_2, + benchmark.nist_800_171_rev_2_3_5_3, + benchmark.nist_800_171_rev_2_3_5_5, + benchmark.nist_800_171_rev_2_3_5_6, + benchmark.nist_800_171_rev_2_3_5_7, + benchmark.nist_800_171_rev_2_3_5_8, + benchmark.nist_800_171_rev_2_3_5_10 + ] + + tags = local.nist_800_171_rev_2_common_tags +} + +benchmark "nist_800_171_rev_2_3_5_2" { + title = "3.5.2 Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems" + description = "Individual authenticators include the following: passwords, key cards, cryptographic devices, and one-time password devices. Initial authenticator content is the actual content of the authenticator, for example, the initial password. In contrast, the requirements about authenticator content include the minimum password length. Developers ship system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. Systems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics including minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include certificates and passwords." + children = [ + control.iam_root_user_mfa_enabled, + control.iam_user_console_access_mfa_enabled, + control.iam_user_mfa_enabled + ] + + tags = local.nist_800_171_rev_2_common_tags +} + +benchmark "nist_800_171_rev_2_3_5_3" { + title = "3.5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts" + description = "Multifactor authentication requires the use of two or more different factors to authenticate. The factors are defined as something you know (e.g., password, personal identification number [PIN]); something you have (e.g., cryptographic identification device, token); or something you are (e.g., biometric). Multifactor authentication solutions that feature physical authenticators include hardware authenticators providing time-based or challenge-response authenticators and smart cards. In addition to authenticating users at the system level (i.e., at logon), organizations may also employ authentication mechanisms at the application level, when necessary, to provide increased information security. Access to organizational systems is defined as local access or network access. Local access is any access to organizational systems by users (or processes acting on behalf of users) where such access is obtained by direct connections without the use of networks. Network access is access to systems by users (or processes acting on behalf of users) where such access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. The use of encrypted virtual private networks for connections between organization-controlled and non-organization controlled endpoints may be treated as internal networks with regard to protecting the confidentiality of information." + children = [ + control.iam_root_user_hardware_mfa_enabled, + control.iam_root_user_mfa_enabled, + control.iam_user_console_access_mfa_enabled, + control.iam_user_mfa_enabled + ] + + tags = local.nist_800_171_rev_2_common_tags +} + +benchmark "nist_800_171_rev_2_3_5_5" { + title = "3.5.5 Prevent reuse of identifiers for a defined period" + description = "Identifiers are provided for users, processes acting on behalf of users, or devices (3.5.1). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices." + children = [ + control.iam_account_password_policy_reuse_24, + control.iam_password_policy_expire_90 + ] + + tags = local.nist_800_171_rev_2_common_tags +} + +benchmark "nist_800_171_rev_2_3_5_6" { + title = "3.5.6 Disable identifiers after a defined period of inactivity" + description = "Inactive identifiers pose a risk to organizational information because attackers may exploit an inactive identifier to gain undetected access to organizational devices. The owners of the inactive accounts may not notice if unauthorized access to the account has been obtained." + children = [ + control.iam_account_password_policy_reuse_24, + control.iam_password_policy_expire_90, + control.iam_user_unused_credentials_90 + ] + + tags = local.nist_800_171_rev_2_common_tags +} + +benchmark "nist_800_171_rev_2_3_5_7" { + title = "3.5.7 Enforce a minimum password complexity and change of characters when new passwords are created" + description = "This requirement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are used as part of multifactor authenticators. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords." + children = [ + control.iam_account_password_policy_min_length_14, + control.iam_account_password_policy_one_lowercase_letter, + control.iam_account_password_policy_one_number, + control.iam_account_password_policy_one_symbol, + control.iam_account_password_policy_one_uppercase_letter, + control.iam_account_password_policy_reuse_24, + control.iam_password_policy_expire_90, + control.iam_user_unused_credentials_90 + ] + + tags = local.nist_800_171_rev_2_common_tags +} + +benchmark "nist_800_171_rev_2_3_5_8" { + title = "3.5.8 Prohibit password reuse for a specified number of generations" + description = "Password lifetime restrictions do not apply to temporary passwords." + children = [ + control.iam_account_password_policy_reuse_24, + control.iam_password_policy_expire_90, + control.iam_user_unused_credentials_90 + ] + + tags = local.nist_800_171_rev_2_common_tags +} + +benchmark "nist_800_171_rev_2_3_5_10" { + title = "3.5.10 Store and transmit only cryptographically-protected passwords" + description = "Cryptographically-protected passwords use salted one-way cryptographic hashes of passwords." + children = [ + control.apigateway_rest_api_stage_use_ssl_certificate, + control.ebs_attached_volume_encryption_enabled, + control.elb_application_lb_redirect_http_request_to_https, + control.elb_application_network_lb_use_ssl_certificate, + control.elb_classic_lb_use_tls_https_listeners, + control.es_domain_node_to_node_encryption_enabled, + control.redshift_cluster_encryption_in_transit_enabled, + control.s3_bucket_default_encryption_enabled_kms, + control.s3_bucket_enforces_ssl + ] + + tags = local.nist_800_171_rev_2_common_tags +} diff --git a/nist_800_171_rev_2/ir.sp b/nist_800_171_rev_2/ir.sp new file mode 100644 index 00000000..908fc77f --- /dev/null +++ b/nist_800_171_rev_2/ir.sp @@ -0,0 +1,55 @@ +benchmark "nist_800_171_rev_2_3_6" { + title = "3.6 Incident Response" + description = "IR controls are specific to an organization's incident response policies and procedures. This includes incident response training, testing, monitoring, reporting, and response plan." + children = [ + benchmark.nist_800_171_rev_2_3_6_1, + benchmark.nist_800_171_rev_2_3_6_2 + ] + + tags = local.nist_800_171_rev_2_common_tags + +} + +benchmark "nist_800_171_rev_2_3_6_1" { + title = "3.6.1 Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities" + description = "Organizations recognize that incident handling capability is dependent on the capabilities of organizational systems and the mission/business processes being supported by those systems. Organizations consider incident handling as part of the definition, design, and development of mission/business processes and systems. Incident-related information can be obtained from a variety of sources including audit monitoring, network monitoring, physical access monitoring, user and administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including mission/business owners, system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive. As part of user response activities, incident response training is provided by organizations and is linked directly to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, regular users may only need to know who to call or how to recognize an incident on the system; system administrators may require additional training on how to handle or remediate incidents; and incident responders may receive more specific training on forensics, reporting, system recovery, and restoration. Incident response training includes user training in the identification/reporting of suspicious activities from external and internal sources. User response activities also includes incident response assistance which may consist of help desk support, assistance groups, and access to forensics services or consumer redress services, when required." + children = [ + control.apigateway_stage_logging_enabled, + control.cloudtrail_security_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudwatch_alarm_action_enabled, + control.cloudwatch_log_group_retention_period_365, + control.guardduty_enabled, + control.guardduty_finding_archived, + control.lambda_function_dead_letter_queue_configured, + control.rds_db_instance_logging_enabled, + control.s3_bucket_logging_enabled, + control.securityhub_enabled, + control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled + ] + + tags = local.nist_800_171_rev_2_common_tags +} + +benchmark "nist_800_171_rev_2_3_6_2" { + title = "3.6.2 Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization" + description = "Tracking and documenting system security incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics, evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources including incident reports, incident response teams, audit monitoring, network monitoring, physical access monitoring, and user/administrator reports. Reporting incidents addresses specific incident reporting requirements within an organization and the formal incident reporting requirements for the organization. Suspected security incidents may also be reported and include the receipt of suspicious email communications that can potentially contain malicious code. The types of security incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, Executive Orders, directives, regulations, and policies." + children = [ + control.apigateway_stage_logging_enabled, + control.cloudtrail_security_trail_enabled, + control.cloudtrail_trail_integrated_with_logs, + control.cloudwatch_alarm_action_enabled, + control.cloudwatch_log_group_retention_period_365, + control.guardduty_enabled, + control.guardduty_finding_archived, + control.lambda_function_dead_letter_queue_configured, + control.rds_db_instance_logging_enabled, + control.s3_bucket_logging_enabled, + control.securityhub_enabled, + control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled + ] + + tags = local.nist_800_171_rev_2_common_tags +} diff --git a/nist_800_171_rev_2/nist_800_171_rev_2.sp b/nist_800_171_rev_2/nist_800_171_rev_2.sp new file mode 100644 index 00000000..4eb93d3d --- /dev/null +++ b/nist_800_171_rev_2/nist_800_171_rev_2.sp @@ -0,0 +1,26 @@ +locals { + nist_800_171_rev_2_common_tags = merge(local.aws_compliance_common_tags, { + nist_800_171_rev_2 = "true" + type = "Benchmark" + }) +} + +benchmark "nist_800_171_rev_2" { + title = "NIST 800-171 Revision 2" + description = "NIST SP 800-171 focuses on protecting the confidentiality of Controlled Unclassified Information (CUI) in nonfederal systems and organizations, and recommends specific security requirements to achieve that objective. NIST 800-171 is a publication that outlines the required security standards and practices for non-federal organizations that handle CUI on their networks." + documentation = file("./nist_800_171_rev_2/docs/nist_800_171_rev_2_overview.md") + + children = [ + benchmark.nist_800_171_rev_2_3_1, + benchmark.nist_800_171_rev_2_3_3, + benchmark.nist_800_171_rev_2_3_4, + benchmark.nist_800_171_rev_2_3_5, + benchmark.nist_800_171_rev_2_3_6, + benchmark.nist_800_171_rev_2_3_11, + benchmark.nist_800_171_rev_2_3_12, + benchmark.nist_800_171_rev_2_3_13, + benchmark.nist_800_171_rev_2_3_14 + ] + + tags = local.nist_800_171_rev_2_common_tags +} diff --git a/nist_800_171_rev_2/ra.sp b/nist_800_171_rev_2/ra.sp new file mode 100644 index 00000000..404061bc --- /dev/null +++ b/nist_800_171_rev_2/ra.sp @@ -0,0 +1,34 @@ +benchmark "nist_800_171_rev_2_3_11" { + title = "3.11 Risk Assessment" + description = "The RA control family relates to an organization's risk assessment policies and vulnerability scanning capabilities. Using an integrated risk management solution like CyberStrong can help streamline and automate your NIST 800 53 compliance efforts." + children = [ + benchmark.nist_800_171_rev_2_3_11_2, + benchmark.nist_800_171_rev_2_3_11_3 + ] + + tags = local.nist_800_171_rev_2_common_tags +} + +benchmark "nist_800_171_rev_2_3_11_2" { + title = "3.11.2 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified" + description = "Organizations determine the required vulnerability scanning for all system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. The vulnerabilities to be scanned are readily updated as new vulnerabilities are discovered, announced, and scanning methods developed. This process ensures that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in source code reviews and in a variety of tools (e.g., static analysis tools, web-based application scanners, binary analyzers) and in source code reviews. Vulnerability scanning includes: scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for improperly configured or incorrectly operating information flow control mechanisms. To facilitate interoperability, organizations consider using products that are Security Content Automated Protocol (SCAP)-validated, scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention, and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of system vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Security assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). In certain situations, the nature of the vulnerability scanning may be more intrusive or the system component that is the subject of the scanning may contain highly sensitive information. Privileged access authorization to selected system components facilitates thorough vulnerability scanning and protects the sensitive nature of such scanning." + children = [ + control.guardduty_enabled, + control.guardduty_finding_archived, + control.securityhub_enabled + ] + + tags = local.nist_800_171_rev_2_common_tags +} + +benchmark "nist_800_171_rev_2_3_11_3" { + title = "3.11.3 Remediate vulnerabilities in accordance with risk assessments" + description = "Vulnerabilities discovered, for example, via the scanning conducted in response to 3.11.2, are remediated with consideration of the related assessment of risk. The consideration of risk influences the prioritization of remediation efforts and the level of effort to be expended in the remediation for specific vulnerabilities." + children = [ + control.guardduty_enabled, + control.guardduty_finding_archived, + control.securityhub_enabled + ] + + tags = local.nist_800_171_rev_2_common_tags +} diff --git a/nist_800_171_rev_2/sc.sp b/nist_800_171_rev_2/sc.sp new file mode 100644 index 00000000..9c5c7045 --- /dev/null +++ b/nist_800_171_rev_2/sc.sp @@ -0,0 +1,256 @@ +benchmark "nist_800_171_rev_2_3_13" { + title = "3.13 System and Communications Protection" + description = "The SC control family is responsible for systems and communications protection procedures. This includes boundary protection, protection of information at rest, collaborative computing devices, cryptographic protection, denial of service protection, and many others." + children = [ + benchmark.nist_800_171_rev_2_3_13_1, + benchmark.nist_800_171_rev_2_3_13_2, + benchmark.nist_800_171_rev_2_3_13_3, + benchmark.nist_800_171_rev_2_3_13_4, + benchmark.nist_800_171_rev_2_3_13_5, + benchmark.nist_800_171_rev_2_3_13_6, + benchmark.nist_800_171_rev_2_3_13_8, + benchmark.nist_800_171_rev_2_3_13_11, + benchmark.nist_800_171_rev_2_3_13_15, + benchmark.nist_800_171_rev_2_3_13_16 + ] + + tags = local.nist_800_171_rev_2_common_tags +} + +benchmark "nist_800_171_rev_2_3_13_1" { + title = "3.13.1 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems" + description = "Communications can be monitored, controlled, and protected at boundary components and by restricting or prohibiting interfaces in organizational systems. Boundary components include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a system security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Restricting or prohibiting interfaces in organizational systems includes restricting external web communications traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security requirements associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions." + children = [ + control.acm_certificate_expires_30_days, + control.apigateway_stage_logging_enabled, + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.cloudtrail_trail_validation_enabled, + control.ec2_instance_in_vpc, + control.elb_application_classic_lb_logging_enabled, + control.elb_application_lb_drop_http_headers, + control.elb_application_lb_redirect_http_request_to_https, + control.elb_application_lb_waf_enabled, + control.elb_classic_lb_use_ssl_certificate, + control.elb_classic_lb_use_tls_https_listeners, + control.es_domain_in_vpc, + control.guardduty_enabled, + control.lambda_function_in_vpc, + control.rds_db_instance_logging_enabled, + control.rds_db_instance_prohibit_public_access, + control.redshift_cluster_encryption_in_transit_enabled, + control.redshift_cluster_prohibit_public_access, + control.s3_bucket_enforces_ssl, + control.s3_bucket_logging_enabled, + control.securityhub_enabled, + control.vpc_flow_logs_enabled, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.vpc_security_group_restrict_ingress_ssh_all, + control.vpc_security_group_restrict_ingress_tcp_udp_all, + control.wafv2_web_acl_logging_enabled + ] + + tags = local.nist_800_171_rev_2_common_tags +} + +benchmark "nist_800_171_rev_2_3_13_2" { + title = "3.13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems" + description = "Organizations apply systems security engineering principles to new development systems or systems undergoing major upgrades. For legacy systems, organizations apply systems security engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems. The application of systems security engineering concepts and principles helps to develop trustworthy, secure, and resilient systems and system components and reduce the susceptibility of organizations to disruptions, hazards, and threats. Examples of these concepts and principles include developing layered protections; establishing security policies, architecture, and controls as the foundation for design; incorporating security requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk. Organizations that apply security engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk-management decisions." + children = [ + control.acm_certificate_expires_30_days, + control.autoscaling_group_with_lb_use_health_check, + control.backup_plan_min_retention_35_days, + control.backup_recovery_point_encryption_enabled, + control.backup_recovery_point_manual_deletion_disabled, + control.backup_recovery_point_min_retention_35_days, + control.cloudtrail_security_trail_enabled, + control.dms_replication_instance_not_publicly_accessible, + control.dynamodb_table_auto_scaling_enabled, + control.dynamodb_table_in_backup_plan, + control.dynamodb_table_point_in_time_recovery_enabled, + control.ebs_snapshot_not_publicly_restorable, + control.ebs_volume_in_backup_plan, + control.ebs_volume_protected_by_backup_plan, + control.ec2_instance_ebs_optimized, + control.ec2_instance_in_vpc, + control.ec2_instance_not_publicly_accessible, + control.ec2_instance_protected_by_backup_plan, + control.efs_file_system_protected_by_backup_plan, + control.elb_application_lb_deletion_protection_enabled, + control.elb_classic_lb_cross_zone_load_balancing_enabled, + control.emr_cluster_master_nodes_no_public_ip, + control.es_domain_in_vpc, + control.fsx_file_system_protected_by_backup_plan, + control.lambda_function_concurrent_execution_limit_configured, + control.lambda_function_in_vpc, + control.lambda_function_restrict_public_access, + control.rds_db_cluster_deletion_protection_enabled, + control.rds_db_instance_backup_enabled, + control.rds_db_instance_logging_enabled, + control.rds_db_instance_multiple_az_enabled, + control.rds_db_instance_prohibit_public_access, + control.rds_db_instance_protected_by_backup_plan, + control.redshift_cluster_prohibit_public_access, + control.s3_bucket_cross_region_replication_enabled, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_default_security_group_restricts_all_traffic, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.vpc_security_group_restrict_ingress_ssh_all + ] + + tags = local.nist_800_171_rev_2_common_tags +} + +benchmark "nist_800_171_rev_2_3_13_3" { + title = "3.13.3 Separate user functionality from system management functionality" + description = "System management functionality includes functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. The separation of user functionality from system management functionality is physical or logical. Organizations can implement separation of system management functionality from user functionality by using different computers, different central processing units, different instances of operating systems, or different network addresses; virtualization techniques; or combinations of these or other methods, as appropriate. This type of separation includes web administrative interfaces that use separate authentication methods for users of any other system resources. Separation of system and user functionality may include isolating administrative interfaces on different domains and with additional access controls." + children = [ + control.iam_policy_no_star_star, + control.iam_user_in_group + ] + + tags = local.nist_800_171_rev_2_common_tags +} + +benchmark "nist_800_171_rev_2_3_13_4" { + title = "3.13.4 Prevent unauthorized and unintended information transfer via shared system resources" + description = "The control of information in shared system resources (e.g., registers, cache memory, main memory, hard disks) is also commonly referred to as object reuse and residual information protection. This requirement prevents information produced by the actions of prior users or roles (or the actions of processes acting on behalf of prior users or roles) from being available to any current users or roles (or current processes acting on behalf of current users or roles) that obtain access to shared system resources after those resources have been released back to the system. This requirement also applies to encrypted representations of information. This requirement does not address information remanence, which refers to residual representation of data that has been nominally deleted; covert channels (including storage or timing channels) where shared resources are manipulated to violate information flow restrictions; or components within systems for which there are only single users or roles." + children = [ + control.ebs_volume_unused + ] + + tags = local.nist_800_171_rev_2_common_tags +} + +benchmark "nist_800_171_rev_2_3_13_5" { + title = "3.13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks" + description = "Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones (DMZs). DMZs are typically implemented with boundary control devices and techniques that include routers, gateways, firewalls, virtualization, or cloud-based technologies." + children = [ + control.dms_replication_instance_not_publicly_accessible, + control.ebs_snapshot_not_publicly_restorable, + control.ec2_instance_in_vpc, + control.ec2_instance_not_publicly_accessible, + control.elb_application_lb_drop_http_headers, + control.elb_application_lb_redirect_http_request_to_https, + control.elb_application_lb_waf_enabled, + control.elb_classic_lb_use_ssl_certificate, + control.elb_classic_lb_use_tls_https_listeners, + control.emr_cluster_master_nodes_no_public_ip, + control.es_domain_in_vpc, + control.es_domain_node_to_node_encryption_enabled, + control.lambda_function_in_vpc, + control.lambda_function_restrict_public_access, + control.rds_db_instance_prohibit_public_access, + control.rds_db_snapshot_prohibit_public_access, + control.redshift_cluster_encryption_in_transit_enabled, + control.redshift_cluster_prohibit_public_access, + control.s3_bucket_enforces_ssl, + control.s3_bucket_restrict_public_read_access, + control.s3_bucket_restrict_public_write_access, + control.s3_public_access_block_account, + control.sagemaker_notebook_instance_direct_internet_access_disabled, + control.vpc_default_security_group_restricts_all_traffic, + control.vpc_igw_attached_to_authorized_vpc, + control.vpc_security_group_restrict_ingress_common_ports_all, + control.vpc_security_group_restrict_ingress_ssh_all, + control.vpc_security_group_restrict_ingress_tcp_udp_all, + control.wafv2_web_acl_logging_enabled + ] + + tags = local.nist_800_171_rev_2_common_tags +} + +benchmark "nist_800_171_rev_2_3_13_6" { + title = "3.13.6 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception)" + description = "This requirement applies to inbound and outbound network communications traffic at the system boundary and at identified points within the system. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed." + children = [ + control.vpc_security_group_restrict_ingress_common_ports_all, + control.vpc_security_group_restrict_ingress_ssh_all, + control.vpc_security_group_restrict_ingress_tcp_udp_all + ] + + tags = local.nist_800_171_rev_2_common_tags +} + +benchmark "nist_800_171_rev_2_3_13_8" { + title = "3.13.8 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards" + description = "This requirement applies to internal and external networks and any system components that can transmit information including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, and facsimile machines. Communication paths outside the physical protection of controlled boundaries are susceptible to both interception and modification. Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of the controls for transmission confidentiality. In such situations, organizations determine what types of confidentiality services are available in commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary safeguards and assurances of the effectiveness of the safeguards through appropriate contracting vehicles, organizations implement compensating safeguards or explicitly accept the additional risk. An example of an alternative physical safeguard is a protected distribution system (PDS) where the distribution medium is protected against electronic or physical intercept, thereby ensuring the confidentiality of the information being transmitted." + children = [ + control.acm_certificate_expires_30_days, + control.elb_application_lb_drop_http_headers, + control.elb_application_lb_redirect_http_request_to_https, + control.elb_classic_lb_use_ssl_certificate, + control.elb_classic_lb_use_tls_https_listeners, + control.es_domain_node_to_node_encryption_enabled, + control.redshift_cluster_encryption_in_transit_enabled, + control.s3_bucket_enforces_ssl + ] + + tags = local.nist_800_171_rev_2_common_tags +} + +benchmark "nist_800_171_rev_2_3_13_11" { + title = "3.13.11 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI" + description = "Cryptography can be employed to support many security solutions including the protection of controlled unclassified information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number generation and hash generation. Cryptographic standards include FIPSvalidated cryptography and/or NSA-approved cryptography." + children = [ + control.acm_certificate_expires_30_days, + control.apigateway_stage_cache_encryption_at_rest_enabled, + control.cloudtrail_trail_logs_encrypted_with_kms_cmk, + control.dynamodb_table_encryption_enabled, + control.ebs_volume_encryption_at_rest_enabled, + control.efs_file_system_encrypt_data_at_rest, + control.elb_application_lb_drop_http_headers, + control.es_domain_encryption_at_rest_enabled, + control.log_group_encryption_at_rest_enabled, + control.rds_db_snapshot_encrypted_at_rest, + control.redshift_cluster_encryption_in_transit_enabled, + control.s3_bucket_default_encryption_enabled, + control.s3_bucket_enforces_ssl, + control.sagemaker_endpoint_configuration_encryption_at_rest_enabled, + control.sagemaker_notebook_instance_encryption_at_rest_enabled, + control.sns_topic_encrypted_at_rest + ] + + tags = local.nist_800_171_rev_2_common_tags +} + +benchmark "nist_800_171_rev_2_3_13_15" { + title = "3.13.15 Protect the authenticity of communications sessions" + description = "Authenticity protection includes protecting against man-in-the-middle attacks, session hijacking, and the insertion of false information into communications sessions. This requirement addresses communications protection at the session versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted." + children = [ + control.elb_application_lb_drop_http_headers, + control.elb_application_lb_redirect_http_request_to_https, + control.elb_classic_lb_use_ssl_certificate, + control.elb_classic_lb_use_tls_https_listeners + ] + + tags = local.nist_800_171_rev_2_common_tags +} + +benchmark "nist_800_171_rev_2_3_13_16" { + title = "3.13.16 Protect the confidentiality of CUI at rest" + description = "Information at rest refers to the state of information when it is not in process or in transit and is located on storage devices as specific components of systems. The focus of protection at rest is not on the type of storage device or the frequency of access but rather the state of the information. Organizations can use different mechanisms to achieve confidentiality protections, including the use of cryptographic mechanisms and file share scanning. Organizations may also use other controls including secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved or continuous monitoring to identify malicious code at rest." + children = [ + control.apigateway_stage_cache_encryption_at_rest_enabled, + control.cloudtrail_trail_logs_encrypted_with_kms_cmk, + control.dynamodb_table_encrypted_with_kms_cmk, + control.dynamodb_table_encryption_enabled, + control.ebs_volume_encryption_at_rest_enabled, + control.efs_file_system_encrypt_data_at_rest, + control.es_domain_encryption_at_rest_enabled, + control.log_group_encryption_at_rest_enabled, + control.rds_db_snapshot_encrypted_at_rest, + control.redshift_cluster_encryption_in_transit_enabled, + control.s3_bucket_default_encryption_enabled, + control.s3_bucket_enforces_ssl, + control.sagemaker_endpoint_configuration_encryption_at_rest_enabled, + control.sagemaker_notebook_instance_encryption_at_rest_enabled, + control.sns_topic_encrypted_at_rest + ] + + tags = local.nist_800_171_rev_2_common_tags +} diff --git a/nist_800_171_rev_2/si.sp b/nist_800_171_rev_2/si.sp new file mode 100644 index 00000000..7cd01cd0 --- /dev/null +++ b/nist_800_171_rev_2/si.sp @@ -0,0 +1,104 @@ +benchmark "nist_800_171_rev_2_3_14" { + title = "3.14 System and Information integrity" + description = "The SI control family correlates to controls that protect system and information integrity. These include flaw remediation, malicious code protection, information system monitoring, security alerts, software and firmware integrity, and spam protection." + children = [ + benchmark.nist_800_171_rev_2_3_14_1, + benchmark.nist_800_171_rev_2_3_14_2, + benchmark.nist_800_171_rev_2_3_14_3, + benchmark.nist_800_171_rev_2_3_14_4, + benchmark.nist_800_171_rev_2_3_14_6, + benchmark.nist_800_171_rev_2_3_14_7 + ] + + tags = local.nist_800_171_rev_2_common_tags +} + +benchmark "nist_800_171_rev_2_3_14_1" { + title = "3.14.1 Identify, report, and correct system flaws in a timely manner" + description = "Organizations identify systems that are affected by announced software and firmware flaws including potential vulnerabilities resulting from those flaws and report this information to designated personnel with information security responsibilities. Security-relevant updates include patches, service packs, hot fixes, and anti-virus signatures. Organizations address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations can take advantage of available resources such as the Common Weakness Enumeration (CWE) database or Common Vulnerabilities and Exposures (CVE) database in remediating flaws discovered in organizational systems. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types of remediation." + children = [ + control.guardduty_enabled, + control.securityhub_enabled + ] + + tags = local.nist_800_171_rev_2_common_tags +} + +benchmark "nist_800_171_rev_2_3_14_2" { + title = "3.14.2 Provide protection from malicious code at designated locations within organizational systems" + description = "Designated locations include system entry and exit points which may include firewalls, remoteaccess servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways including web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. Malicious code protection mechanisms include anti-virus signature definitions and reputationbased technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include logic bombs, back doors, and other types of cyber-attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended." + children = [ + control.ec2_instance_ssm_managed, + control.guardduty_enabled, + control.securityhub_enabled, + control.ssm_managed_instance_compliance_association_compliant, + control.ssm_managed_instance_compliance_patch_compliant, + control.wafv2_web_acl_logging_enabled + ] + + tags = local.nist_800_171_rev_2_common_tags +} + +benchmark "nist_800_171_rev_2_3_14_3" { + title = "3.14.3 Monitor system security alerts and advisories and take action in response" + description = "There are many publicly available sources of system security alerts and advisories. For example, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness across the federal government and in nonfederal organizations. Software vendors, subscription services, and industry information sharing and analysis centers (ISACs) may also provide security alerts and advisories. Examples of response actions include notifying relevant external organizations, for example, external mission/business partners, supply chain partners, external service providers, and peer or supporting organizations." + children = [ + control.guardduty_enabled, + control.securityhub_enabled, + control.ssm_managed_instance_compliance_patch_compliant + ] + + tags = local.nist_800_171_rev_2_common_tags +} + +benchmark "nist_800_171_rev_2_3_14_4" { + title = "3.14.4 Update malicious code protection mechanisms when new releases are available" + description = "Malicious code protection mechanisms include anti-virus signature definitions and reputationbased technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include logic bombs, back doors, and other types of cyber-attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended." + children = [ + control.guardduty_enabled + ] + + tags = local.nist_800_171_rev_2_common_tags +} + +benchmark "nist_800_171_rev_2_3_14_6" { + title = "3.14.6 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks" + description = "System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the system. Organizations can monitor systems, for example, by observing audit record activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. System monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include selected perimeter locations and near server farms supporting critical applications, with such devices being employed at managed system interfaces. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of systems to support such objectives. System monitoring is an integral part of continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless. Unusual or unauthorized activities or conditions related to inbound/outbound communications traffic include internal traffic that indicates the presence of malicious code in systems or propagating among system components, the unauthorized exporting of information, or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other requirements." + children = [ + control.apigateway_stage_logging_enabled, + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.elb_application_classic_lb_logging_enabled, + control.guardduty_enabled, + control.rds_db_instance_logging_enabled, + control.s3_bucket_logging_enabled, + control.securityhub_enabled, + control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled + ] + + tags = local.nist_800_171_rev_2_common_tags +} + +benchmark "nist_800_171_rev_2_3_14_7" { + title = "3.14.7 Identify unauthorized use of organizational systems" + description = "System monitoring includes external and internal monitoring. System monitoring can detect unauthorized use of organizational systems. System monitoring is an integral part of continuous monitoring and incident response programs. Monitoring is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Output from system monitoring serves as input to continuous monitoring and incident response programs. Unusual/unauthorized activities or conditions related to inbound and outbound communications traffic include internal traffic that indicates the presence of malicious code in systems or propagating among system components, the unauthorized exporting of information, or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other requirements." + children = [ + control.apigateway_stage_logging_enabled, + control.cloudtrail_multi_region_trail_enabled, + control.cloudtrail_s3_data_events_enabled, + control.cloudtrail_trail_enabled, + control.elb_application_classic_lb_logging_enabled, + control.guardduty_enabled, + control.rds_db_instance_logging_enabled, + control.s3_bucket_logging_enabled, + control.securityhub_enabled, + control.vpc_flow_logs_enabled, + control.wafv2_web_acl_logging_enabled + ] + + tags = local.nist_800_171_rev_2_common_tags +} + +