Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add/Update AWS Audit Manager > GxP 21 CFR Part 11. Closes #598 #600

Merged
merged 19 commits into from
Apr 7, 2023
Merged

Add/Update AWS Audit Manager > GxP 21 CFR Part 11. Closes #598 #600

merged 19 commits into from
Apr 7, 2023

Conversation

madhushreeray30
Copy link
Contributor

@madhushreeray30 madhushreeray30 commented Apr 3, 2023
edited by khushboo9024
Loading

Checklist

  • Issue(s) linked
Benchmark Control(s)
gxp_21_cfr_part_11_11_10 Controls for closed systems db_instance_backup_enabled
  dynamodb_in_backup_plan
  dynamodb_pitr_enabled
  ebs_in_backup_plan
  ebs_optimized_instance
  efs_in_backup_plan
  elasticache_redis_cluster_automatic_backup_check
  rds_in_backup_plan
  redshift_backup_enabled
  s3_bucket_replication_enabled
  s3_bucket_versioning_enabled
gxp_21_cfr_part_11_11_10_a aurora_resources_protected_by_backup_plan
  backup_plan_min_frequency_and_min_retention_check
  backup_recovery_point_encrypted
  backup_recovery_point_manual_deletion_disabled
  backup_recovery_point_minimum_retention_check
  cloudtrail_security_trail_enabled
  dynamodb_resources_protected_by_backup_plan
  ebs_resources_protected_by_backup_plan
  ec2_resources_protected_by_backup_plan
  ec2_volume_inuse_check
  efs_resources_protected_by_backup_plan
  elb_deletion_protection_enabled
  fsx_resources_protected_by_backup_plan
  rds_resources_protected_by_backup_plan
gxp_21_cfr_part_11_11_10_c cloud_trail_enabled
  cloud_trail_log_file_validation_enabled
  db_instance_backup_enabled
  dynamodb_in_backup_plan
  dynamodb_pitr_enabled
  ebs_in_backup_plan
  ebs_optimized_instance
  ecr_private_lifecycle_policy_configured
  efs_in_backup_plan
  elasticache_redis_cluster_automatic_backup_check
  rds_in_backup_plan
  redshift_backup_enabled
  s3_bucket_replication_enabled
  s3_lifecycle_policy_check
  s3_version_lifecycle_policy_check
gxp_21_cfr_part_11_11_10_d dynamodb_table_encrypted_kms
  ec2_ebs_encryption_by_default
  efs_encrypted_check
  elasticsearch_encrypted_at_rest
  elasticsearch_node_to_node_encryption_check
  encrypted_volumes
  iam_role_managed_policy_check
  restricted_incoming_traffic
  s3_account_level_public_access_blocks
  s3_bucket_level_public_access_prohibited
  s3_bucket_policy_grantee_check
  ssm_document_not_public
  subnet_auto_assign_public_ip_disableds3_account_level_public_access_blocks_periodic
gxp_21_cfr_part_11_11_10_e db_instance_backup_enabled
  dynamodb_in_backup_plan
  dynamodb_pitr_enabled
  ebs_in_backup_plan
  ebs_optimized_instance
  efs_in_backup_plan
  elasticache_redis_cluster_automatic_backup_check
  opensearch_audit_logging_enabled
  opensearch_logs_to_cloudwatch
  rds_in_backup_plan
  redshift_audit_logging_enabled
  redshift_backup_enabled
  s3_bucket_replication_enabled
  s3_bucket_versioning_enabled
gxp_21_cfr_part_11_11_10_g efs_encrypted_check
  restricted_incoming_traffic
  s3_account_level_public_access_blocks
  s3_account_level_public_access_blocks_periodic
  s3_bucket_level_public_access_prohibited
  s3_bucket_policy_grantee_check
  ssm_document_not_public
gxp_21_cfr_part_11_11_10_k autoscaling_launch_config_public_ip_disabled
  restricted_incoming_traffic
  s3_account_level_public_access_blocks
  ssm_document_not_public
gxp_21_cfr_part_11_11_200_a access_keys_rotated
  iam_password_policy
  iam_root_access_key_check
  iam_user_mfa_enabled
  mfa_enabled_for_iam_console_access
  root_account_hardware_mfa_enabled
  root_account_mfa_enabled
gxp_21_cfr_part_11_11_30 Controls for open systems api_gw_ssl_enabledelbv2_acm_certificate_required
  backup_recovery_point_encrypted
  cloudfront_no_deprecated_ssl_protocols
  cloudfront_traffic_to_origin_encrypted
  codebuild_project_artifact_encryption
  codebuild_project_s3_logs_encrypted
  efs_encrypted_check
  kinesis_stream_encrypted
  opensearch_encrypted_at_rest
  opensearch_https_required
  opensearch_node_to_node_encryption_check

Removed Controls

Benchmark Control(s)
gxp_21_cfr_part_11_11_10_a ebs_volume_unused
gxp_21_cfr_part_11_11_10_a elb_application_lb_deletion_protection_enabled
gxp_21_cfr_part_11_11_10_c redshift_cluster_kms_enabled
gxp_21_cfr_part_11_11_10_d s3_public_access_block_account
gxp_21_cfr_part_11_11_10_d s3_public_access_block_bucket
gxp_21_cfr_part_11_11_10_d vpc_security_group_restrict_ingress_common_ports_all
gxp_21_cfr_part_11_11_10_d vpc_subnet_auto_assign_public_ip_disabled
gxp_21_cfr_part_11_11_10_e redshift_cluster_kms_enabled
gxp_21_cfr_part_11_11_10_g efs_file_system_encrypt_data_at_rest
gxp_21_cfr_part_11_11_10_g s3_public_access_block_account
gxp_21_cfr_part_11_11_10_g s3_public_access_block_bucket
gxp_21_cfr_part_11_11_10_g vpc_security_group_restrict_ingress_common_ports_all
gxp_21_cfr_part_11_11_10_k vpc_security_group_restrict_ingress_common_ports_all
gxp_21_cfr_part_11_11_200 Electronic signature components and controls iam_account_password_policy_strong
gxp_21_cfr_part_11_11_200 iam_root_user_hardware_mfa_enabled
gxp_21_cfr_part_11_11_200 iam_root_user_mfa_enabled
gxp_21_cfr_part_11_11_200 iam_root_user_no_access_keys
gxp_21_cfr_part_11_11_200 iam_user_access_key_age_90
gxp_21_cfr_part_11_11_200 iam_user_console_access_mfa_enabled
gxp_21_cfr_part_11_11_200 iam_user_mfa_enabled
gxp_21_cfr_part_11_11_30 Controls for open systems apigateway_rest_api_stage_use_ssl_certificate
gxp_21_cfr_part_11_11_30 efs_file_system_encrypt_data_at_rest
gxp_21_cfr_part_11_11_30 elb_application_network_lb_use_ssl_certificate
gxp_21_cfr_part_11_11_30 rds_db_instance_encryption_at_rest_enabled

@madhushreeray30 madhushreeray30 self-assigned this Apr 3, 2023
@madhushreeray30 madhushreeray30 linked an issue Apr 3, 2023 that may be closed by this pull request
Add/Update AWS Audit Manager > GxP 21 CFR Part 11 #598
Closed
@madhushreeray30 madhushreeray30 changed the title Add/Update AWS Audit Manager > GxP 21 CFR Part 11 Closes #598 Add/Update AWS Audit Manager > GxP 21 CFR Part 11 Closes #598 [WIP] Apr 3, 2023
@madhushreeray30 madhushreeray30 changed the title Add/Update AWS Audit Manager > GxP 21 CFR Part 11 Closes #598 [WIP] Add/Update AWS Audit Manager > GxP 21 CFR Part 11 Closes #598 Apr 4, 2023
@madhushreeray30 madhushreeray30 marked this pull request as ready for review April 4, 2023 11:55
@madhushreeray30 madhushreeray30 changed the title Add/Update AWS Audit Manager > GxP 21 CFR Part 11 Closes #598 Add/Update AWS Audit Manager > GxP 21 CFR Part 11. Closes #598 Apr 4, 2023
cbruno10
cbruno10 requested changes Apr 4, 2023
View reviewed changes
Copy link
Contributor

@cbruno10 cbruno10 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@madhushreeray30 I left some comments, can you please have a look? Thanks!

gxp_21_cfr_part_11/gxp_21_cfr_part_11.sp Outdated Show resolved Hide resolved
gxp_21_cfr_part_11/11_200.sp Outdated
@@ -1,8 +1,18 @@
benchmark "gxp_21_cfr_part_11_11_200" {
title = "11.200 Electronic signature components and controls"
description = "TO DO"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is this supposed to be?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cbruno10 as discussed with @khushboo9024 she will update this as it is not present in the Audit Manager console.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we have any description we can use? Will the Hub page look blank/empty (assming we don't have a separate doc for this one)?

rajlearner17
rajlearner17 reviewed Apr 5, 2023
View reviewed changes
gxp_21_cfr_part_11/11_10.sp Outdated
@@ -1,14 +1,25 @@
benchmark "gxp_21_cfr_part_11_11_10" {
title = "11.10 Controls for closed systems"
description = "Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following benchmarks."
title = "11.10"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@madhushreeray30 we are missing with Title

@khushboo9024 khushboo9024 mentioned this pull request Apr 5, 2023
Closed
1 task
misraved
misraved reviewed Apr 7, 2023
View reviewed changes
Copy link
Contributor

@misraved misraved left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please take a look at the review comments. Thanks!!

conformance_pack/codebuild.sp Outdated
@@ -93,11 +93,24 @@ control "codebuild_project_environment_privileged_mode_disabled" {

control "codebuild_project_artifact_encryption_enabled" {
title = "CodeBuild project artifact encryption should be enabled"
description = "This control checks if an AWS CodeBuild project has encryption enabled for all of its artifacts. The rule is non compliant if 'encryptionDisabled' is set to 'true' for any primary or secondary (if present) artifact configurations."
description = "This control checks if an CodeBuild project has encryption enabled for all of its artifacts. The rule is non compliant if 'encryptionDisabled' is set to 'true' for any primary or secondary (if present) artifact configurations."
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
description = "This control checks if an CodeBuild project has encryption enabled for all of its artifacts. The rule is non compliant if 'encryptionDisabled' is set to 'true' for any primary or secondary (if present) artifact configurations."
description = "This control checks if a CodeBuild project has encryption enabled for all of its artifacts. The rule is non compliant if 'encryptionDisabled' is set to 'true' for any primary or secondary (if present) artifact configurations."

conformance_pack/opensearch.sp Outdated

control "opensearch_domain_node_to_node_encryption_enabled" {
title = "OpenSearch domains node-to-node encryption should be enabled"
description = "This control check if Amazon OpenSearch Service nodes are encrypted end to end. The rule is non compliant if the node-to-node encryption is not enabled on the domain."
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
description = "This control check if Amazon OpenSearch Service nodes are encrypted end to end. The rule is non compliant if the node-to-node encryption is not enabled on the domain."
description = "This control checks if Amazon OpenSearch Service nodes are encrypted end to end. The rule is non-compliant if the node-to-node encryption is not enabled on the domain."

conformance_pack/s3.sp Outdated
Comment on lines 315 to 317
pci_dss_v321 = "true"
gxp_21_cfr_part_11 = "true"
soc_2 = "true"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please sort the tags.

conformance_pack/s3.sp Show resolved Hide resolved
conformance_pack/s3.sp Outdated
else 'ok'
end as status,
case
when policy_std is null then title || ' policy not publicly accessable.'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
when policy_std is null then title || ' policy not publicly accessable.'
when policy_std is null then title || ' policy not publicly accessible.'

conformance_pack/s3.sp Outdated
end as status,
case
when policy_std is null then title || ' policy not publicly accessable.'
when s ->> 'Effect' = 'Allow' and (s -> 'Principal' -> 'AWS' = '["*"]' or s ->> 'Principal' = '*') then title || ' policy publicly accessable.'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
when s ->> 'Effect' = 'Allow' and (s -> 'Principal' -> 'AWS' = '["*"]' or s ->> 'Principal' = '*') then title || ' policy publicly accessable.'
when s ->> 'Effect' = 'Allow' and (s -> 'Principal' -> 'AWS' = '["*"]' or s ->> 'Principal' = '*') then title || ' policy publicly accessible.'

conformance_pack/s3.sp Outdated
case
when policy_std is null then title || ' policy not publicly accessable.'
when s ->> 'Effect' = 'Allow' and (s -> 'Principal' -> 'AWS' = '["*"]' or s ->> 'Principal' = '*') then title || ' policy publicly accessable.'
else title || ' policy not publicly accessable.'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
else title || ' policy not publicly accessable.'
else title || ' policy not publicly accessible.'

conformance_pack/vpc.sp Outdated
@@ -299,6 +298,16 @@ control "vpc_network_acl_unused" {
})
}

control "vpc_security_group_allows_ingress_authorized_ports" {
title = "VPC Security groups should only allow unrestricted incoming traffic for authorized ports"
description = "This control checks whether the vpc security groups that are in use allow unrestricted incoming traffic. Optionally the rule checks whether the port numbers are listed in the authorizedTcpPorts parameter. The default values for authorizedTcpPorts are 80 and 443."
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
description = "This control checks whether the vpc security groups that are in use allow unrestricted incoming traffic. Optionally the rule checks whether the port numbers are listed in the authorizedTcpPorts parameter. The default values for authorizedTcpPorts are 80 and 443."
description = "This control checks whether the VPC security groups that are in use allow unrestricted incoming traffic. Optionally the rule checks whether the port numbers are listed in the authorizedTcpPorts parameter. The default values for authorizedTcpPorts are 80 and 443."

@misraved misraved merged commit 932b9e5 into release/v0.61 Apr 7, 2023
@misraved misraved deleted the gxp-21-cfr-part-11 branch April 7, 2023 11:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rajlearner17 rajlearner17 rajlearner17 left review comments

@cbruno10 cbruno10 cbruno10 requested changes

@misraved misraved misraved approved these changes

@khushboo9024 khushboo9024 Awaiting requested review from khushboo9024

Assignees

@madhushreeray30 madhushreeray30

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add/Update AWS Audit Manager > GxP 21 CFR Part 11
5 participants
@madhushreeray30 @cbruno10 @rajlearner17 @misraved @khushboo9024