AWS Compliance Mod for Steampipe

475+ checks covering industry defined security best practices across all AWS regions. Includes full support for multiple best practice benchmarks including PCI DSS, AWS Foundational Security, CISA Cyber Essentials, FedRAMP, FFIEC, GxP 21 CFR Part 11, GxP EU Annex 11, HIPAA Final Omnibus Security Rule 2013, HIPAA Security Rule 2003, NIST 800-53, NIST CSF, Reserve Bank of India, Audit Manager Control Tower and the latest (v1.5.0) CIS benchmarks.

Run checks in a dashboard:

Or in a terminal:

Includes support for:

• AWS CIS Controls v8 IG1 🚀 New!
• AWS CIS v1.2.0
• AWS CIS v1.3.0
• AWS CIS v1.4.0
• AWS CIS v1.5.0 🚀 New!
• AWS Foundational Security Best Practices
• Audit Manager Control Tower
• CISA Cyber Essentials
• FedRAMP Low Revision 4
• FedRAMP Moderate Revision 4
• Federal Financial Institutions Examination Council (FFIEC)
• General Data Protection Regulation (GDPR)
• GxP 21 CFR Part 11
• GxP EU Annex 11
• HIPAA Final Omnibus Security Rule 2013
• HIPAA Security Rule 2003
• NIST 800-171 Revision 2
• NIST 800-53 Revision 4
• NIST 800-53 Revision 5
• NIST Cybersecurity Framework (CSF)
• Other Compliance Checks
• PCI DSS v3.2.1
• Reserve Bank of India (RBI) Cyber Security Framework
• SOC 2

Getting started

Installation

Download and install Steampipe (https://steampipe.io/downloads). Or use Brew:

brew tap turbot/tap
brew install steampipe

Install the AWS plugin with Steampipe:

steampipe plugin install aws

Clone:

git clone http://github.com/turbot/steampipe-mod-aws-compliance.git
cd steampipe-mod-aws-compliance

Usage

Before running any benchmarks, it's recommended to generate your AWS credential report:

aws iam generate-credential-report

Start your dashboard server to get started:

steampipe dashboard

By default, the dashboard interface will then be launched in a new browser window at https://localhost:9194. From here, you can run benchmarks by selecting one or searching for a specific one.

Instead of running benchmarks in a dashboard, you can also run them within your terminal with the steampipe check command:

Run all benchmarks:

steampipe check all

Run a single benchmark:

steampipe check benchmark.cis_v150

Run a specific control:

steampipe check control.cis_v150_2_1_1

Different output formats are also available, for more information please see Output Formats.

Credentials

This mod uses the credentials configured in the Steampipe AWS plugin.

Configuration

No extra configuration is required.

Common and Tag Dimensions

The benchmark queries use common properties (like account_id, connection_name and region) and tags that are defined in the form of a default list of strings in the mod.sp file. These properties can be overwritten in several ways:

• Copy and rename the steampipe.spvars.example file to steampipe.spvars, and then modify the variable values inside that file

• Pass in a value on the command line:

  steampipe check benchmark.cis_v150 --var 'common_dimensions=["account_id", "connection_name", "region"]'

  steampipe check benchmark.cis_v150 --var 'tag_dimensions=["Environment", "Owner"]'

• Set an environment variable:

  SP_VAR_common_dimensions='["account_id", "connection_name", "region"]' steampipe check control.cis_v150_5_1

  SP_VAR_tag_dimensions='["Environment", "Owner"]' steampipe check control.cis_v150_5_1

Contributing

If you have an idea for additional controls or just want to help maintain and extend this mod (or others) we would love you to join the community and start contributing.

• Join our Slack community → and hang out with other Mod developers.

Please see the contribution guidelines and our code of conduct. All contributions are subject to the Apache 2.0 open source license.

Want to help but not sure where to start? Pick up one of the help wanted issues:

• Steampipe
• AWS Compliance Mod